What about mobile?

When it comes to which workflow to use for an application on a mobile device, the same considerations are taken into account: can the application securely store and transmit confidential data. This topic gets interesting when we start discussing modern mobile platforms. Most modern mobile platforms provide APIs for secure storage:

• iOS: iOS 4+ SDK utilizes Data Protection
• Android: Android 6+ SDK v23+ provides the Android Keystore system
• Windows Mobile: Windows Phone SDK 8+ provides the DPAPI (Data Protection API)

Tip

This is not an exhaustive list of APIs for secure storage for each platform. Most modern mobile platforms actually provide many different methods for securely storing your data. This is only a sampling.

Used in conjunction with secure transmission protocols, such as SSL or TLS, many application developers consider these satisfactory for the requirements of secure storage and transmission of confidential information, and therefore consider their mobile applications trusted. This thinking, however, is flawed. Certainly, these secure storage APIs are very secure, and are satisfactory for most practical situations. However, for applications that require a higher level of security and scrutiny, they should be considered untrusted. See the Are mobile applications trusted or untrusted? section in Chapter 10, What About Mobile?, for a more detailed discussion of this topic.