For reference see [Link].
Our app is built on top of the Cordova Framework which we upgrade regularly whenever new version are released. As such, our apps are just a website run locally on the device while interacting with our API’s. This also means that the only code we maintain is javascript/HTML/CSS.
- M1 – Improper Platform Usage
We only ask for the permissions we need. Currently that is internet connectivity, data storage, push notification, device id (used by push) - M2 – Insecure Data Storage
We only store a user token for the logged in user. No PII og health data is stored locally on the device. - M3 – Insecure Communication
We only connect over SSL/TLS (Grade A) to our API - M4 – Insecure Authentication
The user token is validated at each request to our servers - M5 – Insufficient Cryptography
See M3 - M6 – Insecure Authorization
See M3 - M7 – Client Code Quality
N/A - M8 – Code Tampering
The code in the app can be tampered with by hooking the phone up to a standard Web Inspector or Chrome Browser as it is just a website. That doesn’t mean that it insecure – the security lies at the server-level API – just like a normal website - M9 – Reverse Engineering
Yes, it can be reverse engineered just like a webpage. Therefore, no cryptographic constants and ciphers or intellectual property are stored in the app. - M10 – Extraneous Functionality
We have a seperate process for building and testing the app in debug mode to ensure that no extraneous functions are not needed.