Security & Privacy Best Practices for Mobile Apps
Security failures don't just get your app rejected: they destroy user trust. Here is a practical checklist covering data storage, network security, permissions, and compliance before you submit.
Security risk areas: and how to fix them
Data storage
CriticalRisk
Storing sensitive data (tokens, passwords, PII) in plain text in SharedPreferences (Android) or NSUserDefaults (iOS)
Fix
Use Android Keystore or iOS Keychain for sensitive credentials. Encrypt local databases (SQLCipher). Never store passwords in any local storage: use token-based auth.
Network communication
CriticalRisk
Transmitting data over HTTP, or using HTTPS but accepting invalid certificates (common in debug code left in production)
Fix
Enforce HTTPS everywhere. Enable App Transport Security (iOS) with no exceptions. Use Certificate Pinning for apps handling payments or health data. Disable cleartext traffic in Android manifest.
Permission minimisation
HighRisk
Requesting permissions your app doesn't actively use: location in background, contacts, camera: inflates attack surface and triggers store rejections
Fix
Audit every permission in your manifest. Request permissions at the point of use, not on launch. Remove any permissions from SDKs you've removed.
Authentication & session management
CriticalRisk
Sessions that never expire, tokens stored in insecure storage, missing biometric re-auth before sensitive actions
Fix
Use short-lived JWT tokens with refresh. Require biometric or PIN re-authentication before payments or data export. Invalidate sessions on logout server-side.
Third-party SDK audit
HighRisk
SDKs you include may collect data you haven't disclosed, contain vulnerabilities, or have broader permissions than necessary
Fix
Audit every SDK with Exodus Privacy (Android) or check Apple's privacy nutrition labels. Review SDK changelogs before updating. Remove any SDK you don't actively use.
Code obfuscation
MediumRisk
Release builds without obfuscation expose API endpoints, hardcoded keys, and internal logic to reverse engineering
Fix
Enable ProGuard/R8 for Android release builds. Don't hardcode API keys in source: use environment variables or a secrets manager. Rotate any keys that were ever committed to git.
Input validation
HighRisk
Accepting unsanitised user input that gets passed to SQL queries, file paths, or displayed in WebViews without escaping
Fix
Validate and sanitise all user input at the point of entry. Use parameterised queries. Disable JavaScript in WebViews unless explicitly required.
Privacy compliance requirements
GDPR (EU)
Any app with EU usersData processing consent, right to deletion, data export, privacy policy, DPA with any processors
CCPA (California)
Apps with CA users and >$25M revenue or >100K users' dataOpt-out of data sale, data deletion requests, privacy notice at collection
COPPA (US)
Any app marketed to or used by childrenNo data collection from under-13s without verifiable parental consent
App Store Privacy Labels
All App Store submissionsAccurate declaration of all data collected, linked to identity or used for tracking
Google Play Data Safety
All Google Play submissionsDisclosure of all data types collected, shared, and whether encrypted in transit
Pre-submission security checklist
No API keys, secrets, or credentials committed to source code
All network calls use HTTPS: no HTTP endpoints in production build
Certificate pinning enabled for apps handling payments or health data
Sensitive data stored in Keychain (iOS) or Keystore (Android): not UserDefaults or SharedPreferences
ProGuard/R8 enabled for Android release builds
Every permission in the manifest is actively used by a live feature
Privacy policy is live, accurate, and covers every SDK you use
App Store Privacy Labels / Google Play Data Safety form matches what your app actually does
iOS PrivacyInfo.xcprivacy present and declares all required reason APIs
All third-party SDKs audited: no unexpected data collection
Scan for security and privacy issues: free
Our App Health Check automatically detects debug builds, cleartext traffic, permission over-requests, and missing privacy manifests before you submit.