Security

Mobile dev is a bit like speed-running a cooking show: race to ship the dish, hope nothing goes on fire, smile for the camera. Unfortunately, three ingredients can spoil the meal every time—API keys, rogue certificates, and stray data crumbs on the device. Let’s walk through each risk, sprinkle in fixes you can apply this week, and keep the smoke alarm quiet.
1 · Secrets in the Bundle
What’s going wrong?
Your build pipeline cheerfully bakes API keys straight into the binary, or you stashed a Stripe secret in a .env
“just for staging” that somehow made the final APK. Decompilers love that.
See how ridiculously easy it is to extract a secret from your app.
How to fix it (painlessly)
Give the secret a bouncer.
Stand up a tiny back-end (Cloud Function, Lambda, Cloudflare Worker—pick your poison) that appends the key, forwards the call, and keeps the secret out of the app file forever. If you're not well-versed in the witchcraft of backend development, don't worry there are still ways to keep secrets out of the app files forever.
Use a drop-in proxy
Think of Proxana as the nightclub bouncer you outsource. Paste the key once, copy the new URL, replace one line in your code, done. Nights spent thinking of a surprise bill from OpenAI because your key got leaked are now a thing of the past.
Audit before every release.
Unzip your production build; if you can grep a secret, so can the internet. No secret? Good. Go celebrate with coffee.
2 · Trusting TLS a Little Too Much
What’s going wrong?
TLS is great—until that shady airport Wi-Fi spins up its own “valid” certificate and your app can’t tell the difference. Man-in-the-middle wins, data goes poof.
How to fix it (without gray hair)
Pin the certificate, not just the domain.
Don't just trust any certificate the network gives you, be skeptical and ship your application with the public key used to verify the certificate. This ensures that if the network tries to serve you a certificate other than the one from your server you can sound the alarms and warn the user about this.
The simplest way to pin the certificate is to use a battle-tested package. They handle all the technical implementation of securing the communication between your app (on the user's device) with your server.
Below are a list of packages for the different platforms or frameworks.
Android native: OkHttp’s
CertificatePinner
.iOS native:
URLSession
delegate.Flutter:
ssl_pinning_plugin
.React Native:
react-native-ssl-pinning
.
Use one and your users will thank you for caring about their private data.
3 · Sensitive Data Lounging Around on the Device
What’s going wrong?
Passwords, authentication tokens, application logs and personal data love to lounge in plaintext. Developers think "data out of sight, out of mind" when they store to a local device's storage. Which means they think that this data is now secure because the phone is physically with the user, therefore the data is with the rightful owner.
But what happens to that data when the phone is stolen, or sold without properly wiping everything on it? Or even worse, a rogue app with too many privileges goes snooping around the files? You guessed it right, sold on the blackmarket for the highest bidder.
How to fix it (no capes required)
Hide data where the OS guards it.
iOS: Keychain
Android: Keystore + EncryptedSharedPreferences
Flutter:
flutter_secure_storage
React Native:
react-native-keychain
Encrypt before caching.
If you really must stash blobs in a local DB, wrap them in a per-device key from the secure store first.
Wipe on logout like you mean it.
Delete tokens, clear caches, restart the app. Then check the filesystem—if you find anything juicy, delete it again.
Now you and your users can sleep soundly at night knowing data (which is the most valuable commodity in the 21st century) will never be in the hands of a shady individual or organization.
Release-Day Checklist (print, tape to monitor)
Secret scan: decompile, search—no keys? ✅
Pin test: fake cert via proxy—connection rejected? ✅
Storage sweep: logout, search device—nothing sensitive left? ✅
Nail these three and you’ve turned the most common security potholes into smooth asphalt. Bonus: you’ll survive the next pen-test—and maybe even get an extra slice of launch-day cake.