Mobile Security Is Different
Mobile applications face unique security challenges compared to web applications. The application binary is distributed to user devices, making reverse engineering easier. Devices can be jailbroken or rooted, bypassing platform security controls. Network connections may be intercepted on public WiFi. At Nexis Limited, our mobile development practice includes comprehensive security measures for both iOS and Android applications.
Secure Data Storage
Never Store Sensitive Data in Plain Text
- iOS: Use the Keychain for credentials, tokens, and encryption keys. Use Data Protection API for file-level encryption. Do not store sensitive data in UserDefaults or plist files.
- Android: Use the Android Keystore for cryptographic keys. Use EncryptedSharedPreferences for sensitive key-value data. Do not store secrets in SharedPreferences or SQLite databases without encryption.
Database Encryption
If the app stores data in a local database (SQLite, Realm), encrypt the database with a key stored in the platform keystore. This protects data even if the device is compromised or a backup is extracted.
Network Security
Certificate Pinning
Certificate pinning ensures your app only communicates with servers presenting a specific certificate or public key. This prevents man-in-the-middle attacks even if a rogue certificate authority has been installed on the device. Implement pinning for API communication and have a pin rotation strategy.
Network Security Configuration
- Enforce HTTPS for all network communication — never allow plaintext HTTP.
- On Android, use Network Security Configuration to define trusted certificates and domains.
- On iOS, use App Transport Security (ATS) to enforce HTTPS and strong TLS configurations.
Authentication Security
- Store authentication tokens in platform-secure storage (Keychain/Keystore), not in local storage or cookies.
- Implement biometric authentication (Face ID, fingerprint) for sensitive operations.
- Use short-lived access tokens with refresh token rotation.
- Implement session timeout for inactive users.
- Detect and respond to device root/jailbreak status — restrict functionality on compromised devices.
Code Protection
Obfuscation
Obfuscate release builds to make reverse engineering more difficult. On Android, use ProGuard or R8 to shrink and obfuscate code. On iOS, use compiler optimizations and consider commercial obfuscation tools for highly sensitive applications.
Tamper Detection
Detect runtime modification of your application — hooking frameworks, debugging attachments, and code injection. While not foolproof, tamper detection raises the bar for attackers and can trigger security responses (session invalidation, usage logging).
Secure Communication with Backend
- Validate all API responses — do not trust data from the server blindly.
- Implement request signing to prevent request tampering.
- Rate limit API calls from the client to prevent abuse.
- Do not include API keys or secrets in the application binary — they will be extracted.
Platform-Specific Considerations
iOS
- Enable Data Protection for all files containing sensitive data.
- Disable application screenshots for sensitive screens (banking, health data).
- Handle clipboard data carefully — do not copy sensitive data to the pasteboard.
Android
- Set android:allowBackup="false" for apps handling sensitive data.
- Use FLAG_SECURE to prevent screenshots and screen recording of sensitive screens.
- Handle inter-app communication (Intents) carefully — validate all incoming data.
Conclusion
Mobile application security requires attention to data storage, network communication, authentication, and code protection on a platform that the attacker physically controls. Use platform-provided security mechanisms (Keychain, Keystore), enforce network security, and assume the application binary will be reverse-engineered.
Building a secure mobile application? Our mobile team implements comprehensive security measures.