Mobile App Security Checklist

Security feels abstract until it isn't. Then it's breach notifications, angry users, potential lawsuits, and a reputation you'll spend years rebuilding. The time to care about security is before launch, not after.

Here's what to check. This isn't exhaustive (security never is), but it covers the fundamentals that most apps get wrong.

Data Storage Security

Never Store Sensitive Data in Plain Text

Sounds obvious. Yet apps constantly store passwords, tokens, and personal data in SharedPreferences (Android) or UserDefaults (iOS). These are readable by other apps on rooted/jailbroken devices, and sometimes backed up in plain text.

What to do:

• Use the Keychain (iOS) or EncryptedSharedPreferences (Android) for credentials
• Encrypt sensitive data at rest using platform encryption APIs
• Don't store anything sensitive you don't absolutely need to store

Be Careful with Backups

iOS backups and Android Auto Backup can include your app's data. If someone gets access to a backup, they get that data.

What to do:

• Exclude sensitive files from backups (iOS: isExcludedFromBackup, Android: android:allowBackup="false" or selective exclusion)
• Consider what data would be exposed in a backup scenario

Cache and Logs

Logs often contain sensitive data that developers added during debugging and forgot to remove. Caches can contain session data, tokens, or personal information.

What to do:

• Never log sensitive data (passwords, tokens, PII) even in debug builds
• Clear caches appropriately on logout
• Audit what ends up in temp files and cache directories

Network Security

Use HTTPS Everywhere

HTTP is plain text. Anyone on the same network can read it. There's no excuse for HTTP in 2025.

What to do:

• All network traffic must be HTTPS
• Enforce via App Transport Security (iOS) and Network Security Config (Android)
• Don't add exceptions unless absolutely necessary (and even then, be suspicious)

Certificate Pinning

HTTPS trusts certificate authorities. But CAs can be compromised, or users might install malicious CA certs. Certificate pinning ensures your app only trusts your specific certificate.

What to do:

• Implement certificate pinning for sensitive operations (auth, payments)
• Pin to public key hash, not full certificate (easier rotation)
• Have a rotation plan. Pinning without rotation strategy = future outage

Don't Trust the Network

Server responses could be tampered with. Don't assume because you called your API, the response is legitimate.

What to do:

• Validate all server responses
• Sign sensitive responses server-side if tampering is a concern
• Don't execute code or follow URLs from untrusted responses

Authentication and Authorization

Secure Token Storage

Auth tokens are the keys to user accounts. Treat them accordingly.

What to do:

• Store tokens in Keychain/EncryptedSharedPreferences, never in plain storage
• Use short-lived access tokens with refresh tokens
• Invalidate tokens server-side on logout, password change, or suspicious activity

Biometric Authentication

Face ID and fingerprint are convenient but need to be implemented correctly.

What to do:

• Biometrics should gate access to stored credentials, not replace them
• Handle biometric enrollment changes (new fingerprint added = re-authenticate)
• Always provide a fallback (passcode) for accessibility

Session Management

Sessions shouldn't last forever, and users should be able to see and revoke them.

What to do:

• Implement session timeouts appropriate to your app's sensitivity
• Consider re-authentication for sensitive operations
• Let users view active sessions and remotely log out

Code Security

Obfuscation and Reverse Engineering

Mobile apps can be decompiled. Your code will be read. Accept this and plan for it.

What to do:

• Enable code obfuscation (ProGuard/R8 for Android, built-in for iOS)
• Never embed secrets (API keys, credentials) in the binary. They will be found.
• Use server-side validation for anything that matters. Client-side checks can be bypassed.

Third-Party Dependencies

Your app is only as secure as its weakest dependency. That npm package or CocoaPod might have vulnerabilities.

What to do:

• Audit dependencies. Know what you're including.
• Keep dependencies updated. Security patches matter.
• Use tools like Snyk or Dependabot to track vulnerabilities
• Minimize dependencies. Less code = smaller attack surface.

Jailbreak/Root Detection

Jailbroken iOS or rooted Android devices have bypassed system protections. Your app might not be safe on them.

What to do:

• For high-security apps (banking, health), consider detecting compromised devices
• Warn users or limit functionality on detected devices
• Don't rely solely on this. Detection can be bypassed.

Input Validation

Validate Everything

Never trust input. Not from users, not from deep links, not from push notifications, not from anywhere.

What to do:

• Validate and sanitize all input before processing
• Use parameterized queries to prevent injection attacks
• Validate deep link URLs before navigating to them
• Treat push notification payloads as untrusted

WebViews

WebViews are particularly dangerous. They can execute JavaScript, access native bridges, and load arbitrary content.

What to do:

• Only load trusted URLs in WebViews
• Disable JavaScript if you don't need it
• Be extremely careful with JavaScript bridges to native code
• Use WKWebView (iOS), not the deprecated UIWebView

Privacy

Collect Minimum Data

Data you don't have can't be breached. Only collect what you actually need.

What to do:

• Audit every piece of data you collect. Justify each one.
• Delete data when it's no longer needed
• Anonymize where possible

Permissions

Only request permissions you need, when you need them, with context for why.

What to do:

• Request permissions at time of use, not at launch
• Explain why you need each permission before prompting
• Gracefully handle permission denials

Privacy Policy

Required by app stores and laws (GDPR, CCPA). Must accurately reflect your actual practices.

What to do:

• Have a privacy policy that matches what your app actually does
• Make it accessible from within the app
• Update it when your data practices change

Secure Development Practices

Code Review

Another set of eyes catches security issues you've gone blind to.

What to do:

• Security-focused code review for sensitive features
• Checklists for common vulnerabilities
• Consider external security audits for high-risk apps

Penetration Testing

Hire professionals to try to break your app before malicious actors do.

What to do:

• Pen test before major launches
• Address findings before release
• Re-test after significant changes

Incident Response Plan

Hope for the best, plan for the worst. When (not if) something goes wrong, you need a plan.

What to do:

• Know how you'll detect a breach
• Know who to notify (users, authorities, depending on jurisdiction)
• Know how to revoke compromised credentials
• Practice the plan before you need it

The Checklist

Quick reference before you ship:

• No sensitive data in plain storage
• HTTPS everywhere with no exceptions
• Tokens in secure storage, not plain preferences
• No secrets embedded in code
• Dependencies audited and updated
• All input validated
• WebViews locked down
• Permissions minimized and justified
• Privacy policy accurate and accessible
• Logging sanitized of sensitive data
• Backup exclusions configured
• Security testing completed

The Bottom Line

Security is a process, not a checkbox. You're never "done." Threats evolve, vulnerabilities are discovered, and your app changes.

But getting the fundamentals right prevents the vast majority of attacks. Most breaches exploit basic mistakes: plain text storage, HTTP endpoints, embedded credentials.

Don't be an easy target. Check the boxes, then keep checking them. Your users are trusting you with their data. Honor that trust.