Unpack the APK (apktool d {APK name})
If you are able to find a file called index.android.bundle.map, you will be able to analyse the source code in an unminified format. map files contain the source mapping that allows you to map minified identifiers. If the React Native application you are reversing has the map file included within the assets folder, you can take advantage of this by creating a file named index.html in the same directory with the following within it:
<script src="index.android.bundle"></script>
Save this file and then open it in Google Chrome. Open up the Developer Toolbar (Command+Option+J for OS X or Control+Shift+J for Windows), and click on “Sources”. You should see a neatly mapped out JavaScript file, split up into folders and files that make up the main bundle
If this doesn't work you can try and decompile the JS using:
https://github.com/richardfuca/react-native-decompiler
A pattern that is popular with React Native applications, is the use of a third party database such as Firebase. In the past, there have been a number of applications found to be improperly using Firebase’s authentication model and including an API key that is too permissive, within their React Native application.
The following strings can be grepped for in order to extract the Firebase API key from the index.android.bundle:
FIREBASE_API_KEY
FIREBASE_AUTH_DOMAIN
FIREBASE_DB_URL
FIREBASE_BUCKET
apiKey
For example:
grep -rnis 'apiKey' index.android.bundle
Source:
https://blog.assetnote.io/bug-bounty/2020/02/01/expanding-attack-surface-react-native/