I am not sure if this is specific to React Native. In a regular Android application, this information is available in the JSON file. Having permissive credentials on the client is a security gap, no matter the technology.

This article highlights some security errors that are not really related to React Native:

1. Firebase permissions

That is a problem of a badly configured server, in firebase you need to write some rules that are less permissive as possible, making possible only to read what the user really needs (for example it's own data and the data that is truly public), same for writing.

2. Debug files in the APK

The map file should not be in the APK (unless it's an internal-only debuggable APK), webpack/gulp can be configured to not produce that file when the target is production.

If you use tools that collect errors like Sentry, you can upload the map file to their servers and avoid releasing it.

It will not stop the attacker from obtaining your API_KEY but it will make it harder (security through obscurity).

Both problems are not exclusive to React Native but are shared to any app/web-app that uses firebase.

To the author, your blog platform outputs an invalid canonical url for your content. It omits the `blog` subdomain which makes your canonical url point to a 404.

Isn't this just security 101? Not sure what it has to do with React Native

Do people really put server keys into clients? I thought the general assumption outside of private servers is to trust nobody.