Four New Security Features to Protect Your Expo Apps

We’re excited to announce several enhanced security features to help you keep your apps safe. Our mission is to empower anyone to launch and scale awesome mobile apps with ease. With scale, security becomes critical, so we strive to give you as many options as possible to keep your apps secure.

There are four major security features we’ve released recently:

1. Two-factor authentication
2. Personal Access Tokens for more control over third-party access
3. Bot Users for setting up CI for an Organization
4. A second layer of security for push notifications

Two-factor authentication (2FA) options

We know you invest a lot of time and energy in your Expo projects, so we added two-factor authentication (2FA) functionality to make it simple to keep your account secure and protect your users.

To ensure you will be able to access your account even if your primary phone is lost or reset, we recommend using an application like 1Password or Authy that will securely back up your codes and allow them to be restored if you lose access to your device. Expo’s implementation of 2FA supports authentication via authenticator apps or SMS messages.

🔒 Enable two-factor authentication from your account settings or learn more about Expo’s 2FA implementation here.

Personal Access Tokens for Convenience and Security

Before running any command that communicates with Expo’s servers, you need to identify yourself. Ordinarily you would do this is by running expo login and providing your username and password. But what if you need to write a script to automate some part of your workflow?

Personal Access Tokens make granting access easier and more secure. Ceate a Personal Access Token for your account whenever you need to provide access for an automated script or bot. You can keep track of all your tokens and revoke access whenever you want from your account dashboard.

🔒 Create Personal Access Tokens from the Access Tokens tab in your settings or learn more in the docs for Personal Access Tokens here.

Bot Users for using CI with Organizations

Bot Users let you create Access Tokens that aren’t attached to a Personal Account. This is especially useful if you’re working with others on a project. Using a Bot User and Access Token for CI ensures that it keeps working even if the teammate who set CI up leaves the project down the road.

You can also use Bot Users to trigger publishes and builds from CI without the risk of compromising personal credentials. You can easily revoke & restore Bot Users’ tokens to rotate your tokens.

🔒 Create a Bot User from the Access Tokens tab of your Organization’s settings or learn more in the docs for Bot Users here.

Additional Security for Push Notifications

You can now require push requests be sent with a valid Access Token before Expo delivers them to your users. This acts as an added layer of protection so that even if your users’ push tokens are leaked, only you will be able to contact your users.

🔒 Enable tokens for push notifications from the Access Tokens tab of your account’s settings or learn more about securing your push notification here.

We’re here to help you keep your apps secure, so feel free to ask any questions in our Forums or Discord, or let us know about any issue reports or feature requests.

Happy building,

The Expo Team