Most of our customers end up relying on the phone’s built-in security features to supplement the E3Kit encryption on the end user's device. While this is not directly related to our encryption offerings, here are some minimal recommendations:

iOS:

  • Block unintended backup from happening when you are storing secrets in the keychain (i.e. use kSecAttrAccessibleWhenUnlockedThisDeviceOnly instead of kSecAttrAccessibleWhenUnlocked).

  • Don’t allow your app run on a rooted/jailbroken device.

  • Do not disable SSL certificate validity checking in your app.

  • Understand the security implications of the TouchID-enabled keychain in case of data extraction from a stolen mobile phone.

  • Read through and apply Apple’s security best practices

Android:

  • Turn off the auto backup functionality.

  • Don’t allow your app to run on a rooted device.

  • Do not disable SSL certificate validity checking in your app.

  • Read and apply Google’s security best practices.

Did this answer your question?