If your system or application is mobile app based which security measures have been built into your code to avoid OWASP Top 10 mobile issues.

For reference see [Link].

Our app is built on top of the Cordova Framework which we upgrade regularly whenever new version are released. As such, our apps are just a website run locally on the device while interacting with our API’s. This also means that the only code we maintain is javascript/HTML/CSS.

  • M1 – Improper Platform Usage
    We only ask for the permissions we need. Currently that is internet connectivity, data storage, push notification, device id (used by push)
  • M2 – Insecure Data Storage
    We only store a user token for the logged in user. No PII og health data is stored locally on the device.
  • M3 – Insecure Communication
    We only connect over SSL/TLS (Grade A) to our API
  • M4 – Insecure Authentication
    The user token is validated at each request to our servers
  • M5 – Insufficient Cryptography
    See M3
  • M6 – Insecure Authorization
    See M3
  • M7 – Client Code Quality
    N/A
  • M8 – Code Tampering
    The code in the app can be tampered with by hooking the phone up to a standard Web Inspector or Chrome Browser as it is just a website. That doesn’t mean that it insecure – the security lies at the server-level API – just like a normal website
  • M9 – Reverse Engineering
    Yes, it can be reverse engineered just like a webpage. Therefore, no cryptographic constants and ciphers or intellectual property are stored in the app.
  • M10 – Extraneous Functionality
    We have a seperate process for building and testing the app in debug mode to ensure that no extraneous functions are not needed.

This website uses cookies to ensure you get the best experience on our website.