A Practical Guide to Mobile App Security

Mobile app security covers the protection of the app itself, the data it stores and transmits, the user accounts it authenticates, and the backend services it calls. The threat model is broader than for web apps because the attacker often has physical access to a device running the app and can inspect and modify both the binary and the runtime.

The OWASP Mobile Application Security Verification Standard (MASVS) is the canonical reference. It defines security requirements across categories like storage, cryptography, authentication, network communication, platform interaction, code quality, resilience, and privacy. The companion OWASP Mobile Application Security Testing Guide (MASTG) provides detailed testing methodology. Together, MASVS and MASTG are the foundation every mobile security program builds on.

The OWASP Mobile Top 10 highlights the most common categories of risk: improper credential usage, inadequate supply chain security, insecure authentication or authorization, insufficient input/output validation, insecure communication, inadequate privacy controls, insufficient binary protections, security misconfiguration, insecure data storage, and insufficient cryptography.

A mobile app's attack surface includes the binary, local storage, IPC mechanisms, network traffic, third-party SDKs, runtime hooks, and the user interface. Defense must address each.

Treat the device as untrusted. Phones get lost, stolen, sold, or compromised. Anything sensitive stored on the device must be encrypted and tied to user authentication.

Use platform secure storage. iOS Keychain (with appropriate access classes) and Android Keystore are the right places for tokens, credentials, and cryptographic keys. Both leverage hardware-backed key storage on modern devices (Secure Enclave on iOS, Titan or StrongBox on Android).

Avoid plaintext sensitive data in app-private storage. SharedPreferences (Android), UserDefaults (iOS), or arbitrary files in the app sandbox are not encrypted by default. Anything sensitive should be wrapped with platform encryption or encrypted with keys held in Keychain/Keystore.

Use biometric or PIN gating for high-value secrets. Bind sensitive keys to user authentication via LAContext on iOS and BiometricPrompt with setUserAuthenticationRequired on Android. This ensures even a compromised device cannot use the keys without successful auth.

Be conservative with caching. Sensitive responses, screenshots in the task switcher, clipboard contents, and analytics data can all leak. Disable autobackup of sensitive data, blur the screen in the task switcher when sensitive content is displayed, and clear caches at logout.

Handle backups and exports carefully. Both platforms back up app data by default. Exclude sensitive directories from backup (Android's allowBackup or includeIn/excludeFrom rules; iOS file protection and backup attributes).

Use TLS for every network call. Both platforms enforce HTTPS by default in newer versions: App Transport Security (ATS) on iOS and Network Security Configuration on Android. Resist the temptation to disable these globally; carve out narrow exceptions only when absolutely necessary and document why.

Pin certificates or public keys for high-value backends. Certificate pinning protects against compromised CAs and against attackers with privileged network positions. Libraries like OkHttp's CertificatePinner on Android and built-in URLSession features on iOS make pinning straightforward.

Plan for pin rotation. A hard-coded pin that cannot be updated is a recipe for outage when the certificate expires. Use a pin set with current and next certificates, and ship the app well ahead of expirations. Some teams use dynamic pinning configurations delivered via app updates only, never via the network, to avoid bypass via compromised network.

Reject downgrade and weak ciphers. Require TLS 1.2 or higher. Disable known-weak cipher suites. Verify hostnames and certificate chains correctly; never disable validation in production.

Watch for SSL pinning bypass. Tools like Frida and Objection can hook SSL libraries to bypass pinning on rooted or jailbroken devices. Combine pinning with anti-tampering and runtime integrity checks for high-value apps.

Use platform-recommended auth flows. OAuth 2.0 with PKCE in an external browser (ASWebAuthenticationSession on iOS, Custom Tabs on Android) is the recommended pattern for federated login. Avoid embedding WebViews that steal credentials or break SSO.

Manage tokens carefully. Store access and refresh tokens in Keychain/Keystore. Short-lived access tokens and rotating refresh tokens with replay detection limit damage from token theft.

Bind tokens to the device where possible. Hardware-backed key attestation (Android Key Attestation, iOS DCAppAttest) lets your backend verify that a request comes from a real device running your app. Pair with device-bound tokens to raise the bar against credential theft.

Implement step-up authentication for sensitive actions. Logging in once on a phone gives the user a long session. Sensitive operations (transferring money, changing email, granting consent) should require fresh biometric or PIN confirmation regardless of session age.

Defend against credential stuffing. Rate limit login attempts at the backend per account and per device, monitor for unusual patterns, and integrate with breach password datasets to block reuse of compromised passwords.

Disable insecure exports. Both platforms have rich IPC: Android Intents, Content Providers, Services, and Broadcast Receivers; iOS URL schemes, Universal Links, and shared containers. Each is an attack surface if exposed unintentionally. Mark components private unless they truly need to be public, and validate all external inputs.

Validate deep links. Universal Links and App Links provide cryptographically associated domains, dramatically reducing impersonation risk compared to plain URL schemes. Validate parameters before acting on them; deep link payloads should be treated as untrusted user input.

Disable debug features in release. Logging, debug menus, test endpoints, and developer back doors must not ship in production. Use build configurations to strip debug code and verify with automated checks before release.

Handle WebView content cautiously. WebViews bridge the app and the web with all the security implications of both. Limit JavaScript bridges, restrict allowed origins, sanitize loaded content, and never enable file access or universal access from file URLs unless absolutely required.

Use platform privacy controls. Both iOS and Android have moved aggressively to require explicit permissions for cameras, microphones, photos, contacts, location, and tracking. Request the minimum necessary, explain why, and honor user choices.

Assume motivated attackers will reverse engineer your binary. Anti-reverse engineering measures raise the cost but never eliminate it. Use them when the stakes justify the effort: payments, gaming, DRM, high-value enterprise apps.

Apply code obfuscation. ProGuard or R8 on Android, and tools like SwiftShield or commercial obfuscators on iOS, reduce the readability of decompiled code. Obfuscation slows attackers but does not stop them.

Detect rooting and jailbreaking. Rooted or jailbroken devices have weakened security guarantees. Apps handling money or identity may choose to refuse to run or restrict functionality on such devices. Detection is an arms race; commercial SDKs (Talsec, Promon SHIELD, Build38, Approov) maintain detection logic better than most app teams can.

Detect runtime tampering. Hooks from Frida, Xposed, and Magisk are common attacker tools. Integrity checks at startup and during sensitive operations can detect these and respond by terminating, reporting, or stepping down functionality.

Use Play Integrity API on Android and App Attest / DeviceCheck on iOS. These platform attestation services give your backend a signal about device and app integrity, complementing on-device checks.

Audit SDKs. Mobile apps commonly include dozens of third-party SDKs for analytics, advertising, crash reporting, and integrations. Each is code running with your app's permissions and access to user data. Maintain an SDK inventory, scrutinize permissions and data flows, and remove SDKs that are not actively used.

Generate mobile SBOMs. Tools like CycloneDX integrations for Gradle and CocoaPods produce bills of materials. Use them for vulnerability response and compliance.

Scan dependencies. iOS and Android dependency scanners surface known CVEs in libraries. Snyk, GitHub Dependabot, and Mend support both ecosystems.

Sign and verify code distribution. Use platform signing keys with strict access controls. Rotate when team members with access leave. For Android, App Signing by Google Play removes upload key compromise as a fatal incident. For iOS, manage provisioning profiles and certificates with care.

Test against MASVS. Use the MASTG to structure mobile penetration tests. Tools like MobSF, Frida, Objection, Burp Suite Mobile Assistant, and Drozer cover most automated and manual testing needs.

Integrate security into mobile CI. Static analysis tools like MobSF, Snyk, Veracode Mobile, and Checkmarx scan binaries. Combine with dynamic testing and manual review for high-impact apps.

Plan for incident response. Define playbooks for compromised signing keys, leaked credentials, malicious SDKs, public app store reports of fraudulent versions, and exposed backend APIs. Practice through tabletop exercises.

Monitor app store presence. Counterfeit apps mimicking yours appear regularly on official stores and third-party sites. Use monitoring services to detect and report them, and educate users on how to find the official version.

In 2019, researchers found that several popular VPN apps did not properly validate SSL/TLS certificates, exposing users to man-in-the-middle attacks. The lesson reinforced the need to verify trust handling rather than trust library defaults.

The 2020 incident involving the SuperApp ecosystem of a major fintech demonstrated how a single SDK with elevated permissions could be abused across many downstream apps. SDK governance has become a board-level topic at fintechs and retailers since.

The 2022 disclosure that several Android apps were silently harvesting clipboard contents (including OTPs and addresses) prompted Google to add clipboard access notifications. Privacy-by-default platform changes continue to reshape what apps may quietly do.

Mobile banking trojans like Anatsa, SharkBot, and Hydra have repeatedly demonstrated overlay attacks, accessibility abuse, and SMS interception. Defenses include in-app overlay detection, accessibility service restrictions, and channel-binding tokens that resist relay.