For reference see [Link].
- M1 – Improper Platform Usage
We only ask for the permissions we need. Currently that is internet connectivity, data storage, push notification, device id (used by push)
- M2 – Insecure Data Storage
We only store a user token for the logged in user. No PII og health data is stored locally on the device.
- M3 – Insecure Communication
We only connect over SSL/TLS (Grade A) to our API
- M4 – Insecure Authentication
The user token is validated at each request to our servers
- M5 – Insufficient Cryptography
- M6 – Insecure Authorization
- M7 – Client Code Quality
- M8 – Code Tampering
The code in the app can be tampered with by hooking the phone up to a standard Web Inspector or Chrome Browser as it is just a website. That doesn’t mean that it insecure – the security lies at the server-level API – just like a normal website
- M9 – Reverse Engineering
Yes, it can be reverse engineered just like a webpage. Therefore, no cryptographic constants and ciphers or intellectual property are stored in the app.
- M10 – Extraneous Functionality
We have a seperate process for building and testing the app in debug mode to ensure that no extraneous functions are not needed.