Most of our customers end up relying on the phone’s built-in security features to supplement the E3Kit encryption on the end user's device. While this is not directly related to our encryption offerings, here are some minimal recommendations:

iOS:

  • Block unintended backup from happening when you are storing secrets in the keychain (i.e. use kSecAttrAccessibleWhenUnlockedThisDeviceOnly instead of kSecAttrAccessibleWhenUnlocked).
  • Don’t allow your app run on a rooted/jailbroken device.
  • Do not disable SSL certificate validity checking in your app.
  • Understand the security implications of the TouchID-enabled keychain in case of data extraction from a stolen mobile phone.
  • Read through and apply Apple’s security best practices

Android:

  • Turn off the auto backup functionality.
  • Don’t allow your app to run on a rooted device.
  • Do not disable SSL certificate validity checking in your app.
  • Read and apply Google’s security best practices.
Did this answer your question?