Most of our customers end up relying on the phone’s built-in security features to supplement the E3Kit encryption on the end user's device. While this is not directly related to our encryption offerings, here are some minimal recommendations:
iOS:
Block unintended backup from happening when you are storing secrets in the keychain (i.e. use kSecAttrAccessibleWhenUnlockedThisDeviceOnly instead of kSecAttrAccessibleWhenUnlocked).
Don’t allow your app run on a rooted/jailbroken device.
Do not disable SSL certificate validity checking in your app.
Understand the security implications of the TouchID-enabled keychain in case of data extraction from a stolen mobile phone.
Read through and apply Apple’s security best practices.
Android:
Turn off the auto backup functionality.
Don’t allow your app to run on a rooted device.
Do not disable SSL certificate validity checking in your app.
Read and apply Google’s security best practices.