Safeguard
Open Source

What react-native-get-random-values Does and Why Your App Needs It

The react-native-get-random-values package polyfills crypto.getRandomValues so libraries like uuid work under React Native's Hermes engine. Here is how to install it correctly and use it securely.

Aisha Rahman
Security Analyst
5 min read

The react-native-get-random-values package is a small polyfill that provides crypto.getRandomValues in React Native, because the Hermes JavaScript engine does not ship a native implementation of it. Libraries you take for granted on the web, most notably uuid, assume crypto.getRandomValues exists on the global object. Under React Native it does not, so those libraries throw or, worse, fall back to weak randomness. This polyfill fills that gap by backing the function with the platform's native secure random source.

If your app crashes with an error about crypto.getRandomValues not being a function, or a UUID library refuses to run, this package is the standard fix. Here is how to wire it up without introducing a subtle security bug.

Why the polyfill is necessary

Browsers expose the Web Crypto API, including crypto.getRandomValues, backed by the operating system's cryptographically secure random number generator. React Native runs your JavaScript in Hermes (or, historically, JavaScriptCore), and those engines are not browsers. Hermes deliberately keeps a small surface area and does not implement Web Crypto, so crypto.getRandomValues is simply absent.

That absence is a problem because secure randomness is not optional for the things that use it: UUID generation, session tokens, cryptographic nonces, and key material all depend on unpredictable bytes. A naive fallback to Math.random() is not cryptographically secure and must never back these use cases. The polyfill routes getRandomValues to the native secure RNG on each platform, so the values are actually unpredictable.

Installing react-native-get-random-values

Install the package and link the native pods:

npm install react-native-get-random-values
npx pod-install

The current release line is 2.x. On modern React Native with autolinking, no manual native configuration is required beyond the pod install for iOS.

The one rule: import it first

This is the detail people miss, and it causes bugs that look random. The polyfill must be imported before any code that reads crypto.getRandomValues. Because uuid and similar libraries capture the function at import time, if they load before the polyfill, they capture undefined and never recover.

Put the import at the very top of your entry file, above everything else:

// index.js — must be the first import
import 'react-native-get-random-values';
import { AppRegistry } from 'react-native';
import App from './App';
import { name as appName } from './app.json';

AppRegistry.registerComponent(appName, () => App);

Only after that line runs is it safe to import and use dependent libraries:

import { v4 as uuidv4 } from 'uuid';

const id = uuidv4(); // now backed by native secure randomness

If a UUID library still throws after you added the polyfill, the import order is almost always the reason. Move the polyfill import above the offending require.

Verifying you actually got secure randomness

A polyfill that silently degraded to weak randomness would be worse than a crash, because it would look like it works. Two quick checks give you confidence:

Confirm the global is populated after import. In a debug build, typeof crypto.getRandomValues should be 'function' once the polyfill import has run.

Do not layer a second, weaker polyfill on top. Some older guides suggest ad-hoc shims built on Math.random. If one of those is present alongside this package, load order decides which one wins, and you can end up with the insecure one. Remove the weak shim entirely.

For anything security-sensitive, prefer purpose-built native modules over generic JS crypto. expo-crypto and native keystore libraries exist for a reason. The polyfill is the right tool for making standards-based libraries work, not for hand-rolling your own cryptography.

Where this fits in your dependency hygiene

react-native-get-random-values is a tiny, focused package, which is exactly what you want from a polyfill: small surface, single responsibility. Still, it sits in the security-critical path of your app, so treat it accordingly. Pin it in your lockfile, keep it current, and include it when you audit your React Native dependency tree.

Mobile dependency trees are deep and easy to under-scan; an SCA tool such as Safeguard can surface a known-vulnerable transitive package before it ships in a binary you cannot easily patch. Our SCA product covers native mobile manifests, and the academy has guidance on securing mobile supply chains specifically.

FAQ

What is react-native-get-random-values for?

It polyfills crypto.getRandomValues in React Native. The Hermes engine does not implement Web Crypto, so libraries like uuid that expect crypto.getRandomValues to exist will fail without it. The polyfill backs the function with each platform's native secure random generator.

Why do I have to import it first?

Because dependent libraries capture crypto.getRandomValues at import time. If uuid or a crypto library loads before the polyfill, it captures the missing function and breaks. Put import 'react-native-get-random-values' at the very top of your entry file, above all other imports.

Does it provide cryptographically secure randomness?

Yes, it routes to the platform's native secure RNG rather than Math.random(). That is the entire point: it makes standards-based libraries produce unpredictable values suitable for UUIDs, tokens, and nonces.

How do I install it?

Run npm install react-native-get-random-values and then npx pod-install for iOS. With autolinking on modern React Native, no further native setup is needed.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.