Mobile application security encompasses the practices, techniques, and technologies used to protect mobile apps and their data from threats across iOS and Android platforms. As mobile devices become the primary computing platform for billions of users, securing mobile applications has evolved from a best practice to a fundamental requirement. The attack surface includes authentication mechanisms, data storage, network communication, code integrity, and platform-specific vulnerabilities. A critical insight often overlooked: mobile security isn't just about protecting data in the app—it's about securing data across the entire ecosystem, from device storage to backend APIs, recognizing that the weakest link is often where the mobile environment meets third-party services or compromised devices.
What This Cheat Sheet Covers
This topic spans 21 focused tables and 168 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Authentication Methods
Strong authentication is the first line of defense for mobile apps. The shift toward passwordless methods—passkeys and biometrics—alongside OAuth 2.0 with PKCE reflects a broader industry move away from credential-based attacks that remain the top cause of mobile account takeovers.
| Method | Example | Description |
|---|---|---|
https://auth.example.com/authorize? response_type=code& code_challenge=xyz& code_challenge_method=S256 | • Authorization Code flow with Proof Key for Code Exchange prevents authorization code interception attacks • mandatory for mobile apps since client secrets cannot be securely stored | |
Android: CredentialManager.createCredential( CreatePublicKeyCredentialRequest(json))iOS: ASAuthorizationPlatformPublicKeyCredentialProvider | • Passwordless authentication using public-key cryptography (WebAuthn/FIDO2); • Android uses Credential Manager API, iOS uses Authentication Services • phishing-resistant and synced via iCloud Keychain / Google Password Manager. | |
iOS: LAContext().evaluatePolicy()Android: BiometricPrompt.authenticate() | • Face ID, Touch ID, or fingerprint authentication using platform APIs • biometric data never leaves the Secure Enclave/TEE and cannot be accessed by apps | |
TOTP code: 123456SMS: "Code is 456789" | • Combines multiple verification factors (password + OTP/biometric) • significantly reduces account takeover risk | |
POST /token{refresh_token: "old", grant_type: "refresh_token"}→ {access_token: "new", refresh_token: "new"} | • Issues new refresh token on each use and invalidates old one • prevents token replay attacks if refresh token is compromised | |
eyJhbGci...header.payload.signature | • Stateless tokens containing claims • must be stored in iOS Keychain/Android Keystore, use short expiration (5–15 min), and validated on every request |