Stop “inventing” your own security practices ● Security is very, very hard to get right ● You’re not that smart! ● It is easier to do the known right thing... than to know what you’re doing wrong
Don’t try to “save” your API endpoints ● Your backend should not get affected by a rogue client ● MITM all the way ● Certificate pinning does not solve this! whoops... - “Basic HTTP auth over TLS”
Insecure data storage ● Anything in “private” storage cannot be read by other apps in the system ● … but anything in “external” storage can be read by anyone!