When deploying (mobile) apps for verticals such as Healthcare or Banking, you typically have to get the app approved or blessed by the customer’s IT security team.
Some tips or info:
- Only deploy, even for Proof of Concepts (POCs), properly signed apps
- Do not use or store personal identifiable information that can track users
- Use device IDs (Advertising ID, IDFA and IDFV) that doesn’t identify individual users
- Sensitive information shall be encrypted
- Sensitive information shall live behind the firewall
- Cache TTL values for sensitive data is not “infinite”
- Show Analytics at the user aggregation level
- Beacons do not track users. Beacons only emit the signals used for proximity and/or triangulation
- And last but no least, if using bit.ly for whatever reason, be prepared to prove that this particular .ly domain and related servers are not at or traffic goes through Lybia — a simple
traceroutewill help show this point.
- What You Didn’t Know About .LY, .TV, .SY And Other Foreign Domain Names
- 3 Part Series on Security & Privacy on Mobile Apps