Security Best Practices
Ben Collier avatar
Written by Ben Collier
Updated over a week ago

Data Communications

Where possible all app communication is secured over HTTPS connections. Any infrastructure written by Ocasta will use SSL certificates. Any third-party tools, such as Analytics and crash monitoring will be verified to use SSL.

User authentication always uses OAuth where services support it.

For iOS we use App Transport Security to additionally secure any HTTPS traffic.

Application Security

We adhere to the OWASP Top Ten Mobile Risks for applications. Sensitive data stored on device is secured using the OS level keychains. Stored credentials for Android are in the Keychain function. For iOS they are stored in the iOS Keychain.

Tokens and strings within the binary are secured and obfuscated to prevent them being exposed from decompilation.

Web Application Security

Any web services adhere to OWASP's Top Ten Project and use OAuth for authentication. Servers have limited access and all non-essential services deactivated.

Code and Compilation

Each coding task passes through automated tests and at least one human verified Pull Request before it can reach production.

Our app code is validated at compile time by the Android and iOS compilers and also checked again when uploaded to the respective app stores. Code is only compiled through tools directly obtain from the software vendor and not through third-parties.

App Marketplace Account Security

Our build systems automatically upload apps to the App Store / Google Play minimising the need for staff to have direct access to marketplace accounts. The team members with access to accounts have the passwords securely stored in an encrypted password manager on a secure system. Computers additionally have disk level encryption using FileVault. Staff devices are managed through a remote system allowing them to be deactivated if lost or stolen.

iOS Enterprise Account Security

iOS applications can be delivered as Enterprise apps which allows sensitive applications to made available without publishing them on the publicly accessible App Store.

Provisioning profiles and certificates used for verification of these apps are stored under AES-256 encryption.

These enterprise apps are usually securely delivered to corporately managed devices via a MDM (mobile device management) solution.

Did this answer your question?