feat: add security demo app

Author: CAMOBAP

README.md

@@ -36,6 +36,7 @@ This project is structured as a monorepo.
 - [`packages/react-native-sandbox`](./packages/react-native-sandbox/): the core library.
 - [`apps/side-by-side`](./apps/side-by-side/README.md): An example application with two sandbox instances.
 - [`apps/recursive`](./apps/recursive/README.md): An example application with few nested sandbox instances.
+- [`apps/demo`](./apps/demo/README.md): Security demo.
 
 To run the examples:
 
@@ -134,7 +135,7 @@ AppRegistry.registerComponent("SandboxApp", () => App);
 We're actively working on expanding the capabilities of `react-native-sandbox`. Here's what's planned:
 
 - [ ] **Android Support** - Full cross-platform compatibility
-- [ ] **Inter-Sandbox Communication** - Secure communication between sandbox instances
+- [ ] **Inter-Sandbox Communication** - Secure direct communication between sandbox instances
 - [ ] **[RE.Pack](https://github.com/callstack/repack) Integration** - Advanced bundling and module federation
   - Hot-reloading for sandbox instances in development
   - Dynamic bundle fetching from remote sources
@@ -144,6 +145,7 @@ We're actively working on expanding the capabilities of `react-native-sandbox`.
   - Custom permission system for sandbox instances
   - Resource usage limits and monitoring
   - Sandbox capability restrictions
+  - Unresponsiveness detection 
 - [ ] **Storage Isolation** - Secure data partitioning
   - Per-sandbox AsyncStorage isolation
   - Secure file system access controls

apps/demo/.bundle/config

@@ -0,0 +1,2 @@
+BUNDLE_PATH: "vendor/bundle"
+BUNDLE_FORCE_RUBY_PLATFORM: 1

apps/demo/App.tsx

@@ -0,0 +1,68 @@
+import React from 'react'
+import {SafeAreaView, StyleSheet, Text, View} from 'react-native'
+import SandboxReactNativeView from 'react-native-sandbox'
+import Toast from 'react-native-toast-message'
+
+import CrashIfYouCanDemo from './CrashIfYouCanDemo'
+
+const SideBySideDemo: React.FC = () => {
+  return (
+    <SafeAreaView>
+      <View style={styles.container}>
+        <View style={styles.column}>
+          <Text style={styles.header}>Main App</Text>
+          <CrashIfYouCanDemo />
+        </View>
+        <View style={styles.divider} />
+        <View style={styles.column}>
+          <Text style={styles.header}>Sandboxed</Text>
+          <SandboxReactNativeView
+            style={styles.sandboxView}
+            jsBundleSource={'sandbox'}
+            moduleName={'CrashIfYouCanDemo'}
+            onError={error => {
+              const message = `Got ${error.isFatal ? 'fatal' : 'non-fatal'} error from sandbox`
+              console.warn(message, error)
+              Toast.show({
+                type: 'error',
+                text1: message,
+                text2: `${error.name}: ${error.message}`,
+                visibilityTime: 5000,
+              })
+              return false
+            }}
+          />
+        </View>
+      </View>
+      <Toast />
+    </SafeAreaView>
+  )
+}
+
+const styles = StyleSheet.create({
+  container: {
+    flexDirection: 'row',
+    padding: 16,
+    justifyContent: 'space-between',
+  },
+  column: {
+    flex: 1,
+    padding: 8,
+  },
+  divider: {
+    width: 1,
+    backgroundColor: '#ccc',
+  },
+  header: {
+    fontWeight: 'bold',
+    fontSize: 16,
+    marginBottom: 8,
+    textAlign: 'center',
+  },
+  sandboxView: {
+    flex: 1,
+    padding: 30,
+  },
+})
+
+export default SideBySideDemo

apps/demo/CrashIfYouCanDemo.tsx

@@ -0,0 +1,60 @@
+import React from 'react'
+import {Button, NativeModules, ScrollView, StyleSheet, View} from 'react-native'
+
+export default function CrashIfYouCanDemo() {
+  const triggerCrash = () => {
+    // @ts-ignore
+    global.nonExistentMethod() // Should crash the app
+  }
+
+  const overwriteGlobal = () => {
+    // Overwrite console.log to something harmful
+    console.log = () => {
+      throw new Error('console.log has been hijacked!')
+    }
+    console.log('This will now throw') // This will crash or break logs
+  }
+
+  const accessBlockedTurboModule = () => {
+    const FileReaderModule = NativeModules.FileReaderModule
+    FileReaderModule.readAsText('/some/file.txt')
+      .then((text: string) => console.log(text))
+      .catch((err: any) => console.log(err.message))
+  }
+
+  const infiniteLoop = () => {
+    while (true) {}
+  }
+
+  return (
+    <ScrollView contentContainerStyle={styles.container}>
+      <Button title="1. Crash App (undefined global)" onPress={triggerCrash} />
+      <View style={styles.spacer} />
+      <Button
+        title="2. Overwrite Global (console.log)"
+        onPress={overwriteGlobal}
+      />
+      <View style={styles.spacer} />
+      <Button
+        title="3. Access Blocked TurboModule"
+        onPress={accessBlockedTurboModule}
+      />
+      <View style={styles.spacer} />
+      <Button title="4. Infinite Loop" onPress={infiniteLoop} />
+      <View style={styles.bottom} />
+    </ScrollView>
+  )
+}
+
+const styles = StyleSheet.create({
+  container: {
+    padding: 16,
+    justifyContent: 'center',
+  },
+  spacer: {
+    height: 16,
+  },
+  bottom: {
+    height: 36,
+  },
+})

apps/demo/README.md

@@ -0,0 +1,11 @@
+# Security Demo
+
+![Platform: iOS](https://img.shields.io/badge/platform-iOS-blue.svg)
+
+This demo showcases a side-by-side comparison between a regular React Native component and one executed inside a `react-native-sandbox`ed environment. The `CrashIfYouCanDemo` component intentionally triggers various types of failures — such as accessing undefined globals, overwriting global variables, invoking blocked native modules, infinite loops. When run in the main app context, these actions can crash or destabilize the app. However, when isolated inside the `SandboxReactNativeView`, they are safely contained without affecting the host application. This demonstrates how sandboxing can enhance reliability and security in untrusted or third-party React Native code execution.
+
+## Screenshot
+
+<div style="display: flex; flex-wrap: wrap; gap: 10px; align: center">
+  <img src="./docs/screenshot.png" width="240" />
+</div>

apps/demo/__tests__/App.test.tsx

@@ -0,0 +1,14 @@
+/**
+ * @format
+ */
+
+import React from 'react'
+import ReactTestRenderer from 'react-test-renderer'
+
+import App from '../App'
+
+test('renders correctly', async () => {
+  await ReactTestRenderer.act(() => {
+    ReactTestRenderer.create(<App />)
+  })
+})

apps/demo/android/app/build.gradle

@@ -0,0 +1,119 @@
+apply plugin: "com.android.application"
+apply plugin: "org.jetbrains.kotlin.android"
+apply plugin: "com.facebook.react"
+
+/**
+ * This is the configuration block to customize your React Native Android app.
+ * By default you don't need to apply any configuration, just uncomment the lines you need.
+ */
+react {
+    /* Folders */
+    //   The root of your project, i.e. where "package.json" lives. Default is '../..'
+    // root = file("../../")
+    //   The folder where the react-native NPM package is. Default is ../../node_modules/react-native
+    // reactNativeDir = file("../../node_modules/react-native")
+    //   The folder where the react-native Codegen package is. Default is ../../node_modules/@react-native/codegen
+    // codegenDir = file("../../node_modules/@react-native/codegen")
+    //   The cli.js file which is the React Native CLI entrypoint. Default is ../../node_modules/react-native/cli.js
+    // cliFile = file("../../node_modules/react-native/cli.js")
+
+    /* Variants */
+    //   The list of variants to that are debuggable. For those we're going to
+    //   skip the bundling of the JS bundle and the assets. By default is just 'debug'.
+    //   If you add flavors like lite, prod, etc. you'll have to list your debuggableVariants.
+    // debuggableVariants = ["liteDebug", "prodDebug"]
+
+    /* Bundling */
+    //   A list containing the node command and its flags. Default is just 'node'.
+    // nodeExecutableAndArgs = ["node"]
+    //
+    //   The command to run when bundling. By default is 'bundle'
+    // bundleCommand = "ram-bundle"
+    //
+    //   The path to the CLI configuration file. Default is empty.
+    // bundleConfig = file(../rn-cli.config.js)
+    //
+    //   The name of the generated asset file containing your JS bundle
+    // bundleAssetName = "MyApplication.android.bundle"
+    //
+    //   The entry file for bundle generation. Default is 'index.android.js' or 'index.js'
+    // entryFile = file("../js/MyApplication.android.js")
+    //
+    //   A list of extra flags to pass to the 'bundle' commands.
+    //   See https://github.com/react-native-community/cli/blob/main/docs/commands.md#bundle
+    // extraPackagerArgs = []
+
+    /* Hermes Commands */
+    //   The hermes compiler command to run. By default it is 'hermesc'
+    // hermesCommand = "$rootDir/my-custom-hermesc/bin/hermesc"
+    //
+    //   The list of flags to pass to the Hermes compiler. By default is "-O", "-output-source-map"
+    // hermesFlags = ["-O", "-output-source-map"]
+
+    /* Autolinking */
+    autolinkLibrariesWithApp()
+}
+
+/**
+ * Set this to true to Run Proguard on Release builds to minify the Java bytecode.
+ */
+def enableProguardInReleaseBuilds = false
+
+/**
+ * The preferred build flavor of JavaScriptCore (JSC)
+ *
+ * For example, to use the international variant, you can use:
+ * `def jscFlavor = io.github.react-native-community:jsc-android-intl:2026004.+`
+ *
+ * The international variant includes ICU i18n library and necessary data
+ * allowing to use e.g. `Date.toLocaleString` and `String.localeCompare` that
+ * give correct results when using with locales other than en-US. Note that
+ * this variant is about 6MiB larger per architecture than default.
+ */
+def jscFlavor = 'io.github.react-native-community:jsc-android:2026004.+'
+
+android {
+    ndkVersion rootProject.ext.ndkVersion
+    buildToolsVersion rootProject.ext.buildToolsVersion
+    compileSdk rootProject.ext.compileSdkVersion
+
+    namespace "com.demo"
+    defaultConfig {
+        applicationId "com.demo"
+        minSdkVersion rootProject.ext.minSdkVersion
+        targetSdkVersion rootProject.ext.targetSdkVersion
+        versionCode 1
+        versionName "1.0"
+    }
+    signingConfigs {
+        debug {
+            storeFile file('debug.keystore')
+            storePassword 'android'
+            keyAlias 'androiddebugkey'
+            keyPassword 'android'
+        }
+    }
+    buildTypes {
+        debug {
+            signingConfig signingConfigs.debug
+        }
+        release {
+            // Caution! In production, you need to generate your own keystore file.
+            // see https://reactnative.dev/docs/signed-apk-android.
+            signingConfig signingConfigs.debug
+            minifyEnabled enableProguardInReleaseBuilds
+            proguardFiles getDefaultProguardFile("proguard-android.txt"), "proguard-rules.pro"
+        }
+    }
+}
+
+dependencies {
+    // The version of react-native is set by the React Native Gradle Plugin
+    implementation("com.facebook.react:react-android")
+
+    if (hermesEnabled.toBoolean()) {
+        implementation("com.facebook.react:hermes-android")
+    } else {
+        implementation jscFlavor
+    }
+}

apps/demo/android/app/debug.keystore

@@ -0,0 +1,10 @@
+# Add project specific ProGuard rules here.
+# By default, the flags in this file are appended to flags specified
+# in /usr/local/Cellar/android-sdk/24.3.3/tools/proguard/proguard-android.txt
+# You can edit the include path and order by changing the proguardFiles
+# directive in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# Add any project specific keep options here:

apps/demo/android/app/proguard-rules.pro

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <application
+        android:usesCleartextTraffic="true"
+        tools:targetApi="28"
+        tools:ignore="GoogleAppIndexingWarning"/>
+</manifest>