Security

    Does Apple review the source code of React Native apps?

    A 2026 view of a React Native app binary being analyzed, showing the bundled JavaScript and Hermes bytecode being extracted and read from the compiled IPA rather than from source code

    There are two versions of this question hiding in one. Does Apple read your repository? No. Can Apple, or anyone, see the JavaScript that ships inside your React Native app? Yes. The confusion matters because developers sometimes hardcode a key in JS believing it is hidden inside a compiled app, when the React Native bundle is recoverable from the binary. Here is what Apple actually receives, what it inspects, and why your JS bundle should be treated as visible.

    Short answer

    Apple does not review your source code in the sense of reading your Git repository. You upload a compiled binary, and Apple reviews that binary against the App Review Guidelines using a mix of automated static analysis and human testing. For a React Native app, though, your JavaScript is bundled inside that binary, and the bundle can be extracted and read by anyone with the file, so anything in it, including hardcoded keys, is effectively visible. So Apple does not get your repo, but it does receive and analyze the binary, and the JS that ships in it is not private. Treat the bundle as readable.

    What you should know

    • Apple gets a binary, not your repo: you upload a compiled app, not source files.
    • Review combines automation and humans: static analysis plus a reviewer testing the app.
    • Your JS ships inside the app: the React Native bundle is part of the binary.
    • The bundle is recoverable: anyone with the app file can extract and read it.
    • Hardcoded secrets are exposed: a key in your JS is not hidden by compilation.

    Does Apple get your source code?

    No. When you submit, you archive the app in Xcode and upload an IPA, which is a compiled, packaged binary, not your project's source tree. Apple never receives your Git history, your component files, or your build configuration as source. What App Review works with is that binary: automated checks scan it for things like private API usage and policy violations, and a human reviewer installs and exercises the app to evaluate behavior against the guidelines. So in the literal sense people usually mean, Apple does not read your source code. It evaluates the shipped artifact and how the app behaves on a device.

    What is actually in the binary you upload?

    A React Native binary contains your JavaScript alongside the native code, and the JS layer is the part people misjudge. The table breaks down what ships and how exposed it is.

    ComponentWhat it isHow exposed
    JavaScript bundleYour RN app logic, bundled and minifiedExtractable and readable from the app
    Hermes bytecodeJS precompiled to bytecode by the Hermes engineRecoverable; can be decompiled back toward JS
    Native modulesCompiled Objective-C or Swift codeCompiled, but strings and symbols are inspectable
    Assets and config filesImages, JSON, plist entriesReadable directly from the bundle

    Whether your JS ships as minified source or Hermes bytecode, it is part of the app bundle and can be pulled out of the binary, so the bundle is not a private container. Minification and bytecode raise the effort to read it, but they do not make it secret.

    What does this mean for secrets in your JS?

    That a hardcoded secret in your JavaScript is exposed, regardless of Apple's review. Because the bundle ships in the app and can be extracted, an API key, token, or password embedded in your RN code is readable by anyone who unpacks the binary, not just by Apple. The fix is the same as for any client: do not put real secrets in the app at all. Keep secrets on your backend, have the app authenticate and call your server, and let the server hold the privileged keys. Where the app must hold a value, scope it tightly, and rely on server-side rules rather than the value being hidden. Compilation and bundling change how much work it takes to read the JS, not whether it can be read.

    What to watch out for

    The first trap is assuming that because Apple only sees a compiled binary, your JavaScript is hidden inside it; the bundle is recoverable, so it is not. The second is trusting minification or Hermes bytecode as a security measure, when they raise effort but do not protect a secret. The third is hardcoding keys in JS for convenience and planning to remove them later, which often does not happen before submission. A pre-submission scan such as PTKD.com (https://ptkd.com) reads the compiled IPA against OWASP MASVS and surfaces the strings, keys, and endpoints in the bundle, showing you exactly what is recoverable from your React Native app before you submit. Moving secrets to your backend is the design change you make in response.

    What to take away

    • Apple does not review your source code or repository; it reviews the compiled binary you upload.
    • Review combines automated static analysis of the binary with a human testing the app's behavior.
    • Your React Native JavaScript ships inside the binary and is recoverable, so the bundle is not private and minification or Hermes bytecode is not a secret-keeper.
    • Keep real secrets on your backend, and use a pre-submission scan such as PTKD.com to see what is actually recoverable from your bundle.
    • #react-native
    • #source-code
    • #app-review
    • #hermes
    • #hardcoded-secrets
    • #binary-analysis
    • #ios

    Frequently asked questions

    Does Apple review the source code of React Native apps?
    Not your repository. You upload a compiled binary, and Apple reviews that binary against the guidelines using automated static analysis and a human testing the app. Apple never receives your Git history or source files. However, your React Native JavaScript is bundled inside the binary and is recoverable, so while Apple does not read your source, the JS that ships in the app is not private from anyone who unpacks it.
    Can someone see my React Native JavaScript?
    Yes. The JS bundle ships inside the app and can be extracted from the binary, whether it is minified source or Hermes bytecode. Minification and bytecode raise the effort to read it but do not make it secret. So treat anything in your bundle, including logic and any embedded values, as readable by anyone with the app file, which is why secrets do not belong in the JS.
    Is a hardcoded key safe inside a compiled React Native app?
    No. Compilation and bundling do not hide a secret, because the bundle can be extracted and read. A hardcoded API key, token, or password in your JavaScript is exposed to anyone who unpacks the binary. Keep real secrets on your backend, have the app authenticate and call your server, and let the server hold privileged keys. Where the app must hold a value, scope it tightly and rely on server-side rules.
    Does Hermes bytecode protect my code?
    It raises the effort, but it does not protect a secret. Hermes precompiles your JavaScript to bytecode, which is harder to read than minified source, but the bytecode still ships in the binary and can be recovered and decompiled back toward JavaScript. So Hermes is a performance feature with a mild obfuscation side effect, not a security control. Do not rely on it to hide keys or sensitive logic.
    How do I see what's recoverable from my app?
    Scan the compiled binary. A pre-submission scan such as PTKD.com reads the IPA against OWASP MASVS and surfaces the strings, keys, and endpoints in your bundle, so you can see exactly what someone unpacking your React Native app would find. With that list, you move any real secrets to your backend and confirm the bundle does not ship anything that should have stayed private.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free