Shipping a fintech app is a different beast from shipping a regular mobile app. The stakes are higher, the regulatory requirements are real, and users have zero tolerance for bugs involving their money.
Biometric Auth Done Right
React Native has react-native-biometrics and the OS-level Keychain/Keystore APIs. The pattern I settled on: biometric verification unlocks an encrypted key stored in the secure enclave, which decrypts the user’s session token. The token never lives in AsyncStorage.
The common mistake is using biometrics as a UI gate while still keeping sensitive data in plaintext storage. Don’t.
Offline-First Architecture
Payments apps need to work in low-connectivity environments. I built around a local SQLite database (via op-sqlite) as the source of truth, with a sync queue that replays pending operations when connectivity is restored.
The tricky part is conflict resolution. If a user initiates a transfer while offline and the same funds are debited server-side before sync, you need a clear reconciliation strategy. We opted for pessimistic locking: offline transactions are marked “pending review” until confirmed by the server.
Security Pitfalls
- Certificate pinning: Prevents MITM attacks on rooted devices. Non-negotiable for financial apps.
- Jailbreak/root detection: Flag these sessions server-side, don’t just block client-side.
- Screenshot prevention: Enable
FLAG_SECUREon Android and the iOS equivalent for screens showing balances or card numbers. - Code obfuscation: Use ProGuard on Android. Ship a release build to a security auditor before launch.
The Real Lesson
The hardest part wasn’t the code — it was getting the payment gateway integration right. Every provider has slightly different webhook schemas, retry logic, and idempotency key requirements. Build a thin abstraction layer over payment providers from day one so you can swap them without rewriting business logic.