Mobile Security

Project: ~~{{PROJECT_NAME}}~~Drop — Fintech Payment App Version: ~~{{VERSION}}~~0.1.0 Date: ~~{{DATE}}~~2026-02-23 Author: ~~{{AUTHOR}}~~John (AI Director, ALAI) Status: Draft ~~| In Review | Approved~~ Reviewers: ~~{{REVIEWERS}}~~Alem Bašić (CEO)

Document History

Version	Date	Author	Changes
0.1	~~{{DATE}}~~2026-02-23	~~{{AUTHOR}}~~John	Initial draft — current state analysis + Phase 2 security roadmap

1. Mobile Threat Model

Context: Drop is a PSD2-regulated payment app. It handles real money movements from users' bank accounts. Drop never stores funds, but it stores authentication tokens that could initiate payments if compromised.

~~logs~~

Threat Actor	Goal	Attack Vector	Likelihood	Impact	Mitigation
Malicious app on device	Steal ~~auth~~Bearer ~~tokens~~token	Shared ~~storage~~AsyncStorage access	Medium	~~High~~Critical	~~Secure~~Phase ~~storage~~2: ~~(Keychain/Keystore)~~migrate token to expo-secure-store
Network interceptor (MITM)	Intercept payment API calls	Rogue WiFi, proxy	Medium	~~High~~Critical	~~Certificate~~TLS 1.3 enforced; certificate pinning Phase 2
Reverse engineer	Extract API keys, business logic	APK/IPA decompilation	Medium	Medium	~~Code~~Hermes ~~obfuscation,~~bytecode; no hardcoded secrets
Stolen/lost device	~~Access~~Initiate ~~user~~payments ~~data~~as victim	Physical access + stored token	High	~~High~~Critical	~~Biometric~~Phase 2: biometric lock, ~~data~~token ~~encryption, remote wipe~~binding
Rooted/jailbroken device	Bypass security controls	OS privilege escalation	Low	High	Root/jailbreak detection Phase 2
~~Malicious~~Session ~~insider~~hijacking	~~Access~~Replay ~~user~~stolen ~~data~~token	~~Source~~Network ~~code access~~capture	Low	~~High~~Critical	~~Secrets~~Token inexpiry ~~vault,~~(7 nodays); ~~PII~~HTTPS inenforced
Social engineering	Steal BankID credentials	Phishing	Medium	Critical	User education; BankID handles its own auth

Assets to ~~protect:~~protect (priority order):

~~Auth~~Bearer ~~tokens~~token (~~access~~allows +payment ~~refresh)~~initiation from user's bank account)
User PII (name, email, ~~payment~~phone ~~info)~~— BankID-verified identity)
~~API~~Transaction ~~keys~~history ~~and~~(financial ~~secrets~~data)
~~Cached~~Exchange ~~sensitive~~rate ~~data~~API access

App integrity (prevent tampered builds)

2. Authentication

2.1 Biometric Authentication

Current state (Phase 1): Not implemented. Login is email + password only.

~~Implementation:~~Phase 2 implementation: {{expo-local-authentication | react-native-biometrics}}

// Phase 2 — lib/biometrics.ts
import * as LocalAuthentication from 'expo-local-authentication';

export async function authenticateWithBiometrics(): Promise<boolean> {
  const hasHardware = await LocalAuthentication.hasHardwareAsync();
  const isEnrolled = await LocalAuthentication.isEnrolledAsync();

  if (!hasHardware || !isEnrolled) {
    return promptPINFallback();
  }

  const result = await LocalAuthentication.authenticateAsync({
    promptMessage: 'VerifyBekreft youridentiteten identity'din',
    fallbackLabel: 'UseBruk PIN',
    cancelLabel: 'Cancel'Avbryt',
    disableDeviceFallback: false,
  });

  return result.success;
}

~~Use~~Planned biometric use cases ~~for~~(Phase ~~biometric auth:~~2):

App unlock after backgrounding > {{5 minutes}}

~~View sensitive data (payment info, full account number)~~minutes
Confirm high-value remittance transactions (amount > {{$100}})5000 NOK)
Change security settings
View full transaction history

Fallback: 4-digit PIN ~~code~~(same as web registration flow) → {{expo-secure-store}}hash stored ~~hash~~in expo-secure-store (bcrypt, not reversible)

2.2 Session Management

Property	~~Value~~Current (Phase 1)	Phase 2 Target
Access token lifetime	`{{7 days (Bearer)`	15 ~~minutes}}~~minutes (access) + 7 days (refresh)
Refresh token ~~lifetime~~	`{{30Not days}}`
~~Refresh token rotation~~implemented	~~Yes — single use, new token issued~~Rotate on each use
Session timeout	Never (~~background)~~token-based)	App lock after `{{5 minutes}}`min ~~inactive~~background
Max concurrent sessions	`{{Not limited`	3 ~~devices}}~~devices max
Force logout triggers	Manual logout only	Password change, suspicious activity, admin ~~revocation~~revoke

Token ~~storage:~~storage (current Phase 1):

// CURRENT — lib/api.js — in-memory + AsyncStorage
// WARNING: AsyncStorage is not encrypted — acceptable for MVP, not for production
let token = null;  // Module-level in-memory
await AsyncStorage.setItem('auth_token', token);  // Persisted (unencrypted)

Token storage (Phase 2 target):

// PHASE 2 — lib/auth.ts
import * as SecureStore from 'expo-secure-store';

// CORRECT — encrypted secure storage
await SecureStore.setItemAsync('access_token', token, {
  keychainAccessible: SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
});

// WRONG — neverDO useNOT AsyncStorageUSE orFOR MMKV for tokensTOKENS
// await AsyncStorage.setItem('access_token', token);  // DO NOT USEUnencrypted!

2.3 TokenBankID Storage (Secure Enclave)Authentication

BankID

isDrop'sprimarystrongmechanism.TheBankIDflowishandledtheBankIDOIDCprovider—doesstoreBankID

~~Platform~~	~~Mechanism~~	~~Access~~authentication ~~Level~~
~~iOS~~	~~Keychain~~by ~~Services~~	`kSecAttrAccessibleWhenUnlockedThisDeviceOnly`
~~Android~~	~~Android~~Drop ~~Keystore~~	`BIOMETRIC_STRONG`not see or `DEVICE_CREDENTIAL`

credentials.

~~Cannot~~Mobile beBankID ~~backed~~flow ~~up:~~(ADR-011):

~~Both~~

1. mechanismsGET /v1/auth/bankid/initiate?platform=mobile → { redirectUrl, state }
2. Open BankID in expo-web-browser (secure, isolated browser)
3. BankID redirects to drop://auth/callback?code=&state=
4. expo-linking catches the deep link
5. POST /v1/auth/bankid/callback → Bearer token (7-day)
6. Token stored (AsyncStorage Phase 1, expo-secure-store Phase 2)

Security properties of BankID:

Norwegian national ID system — eID Level 3 (substantial assurance)

All authentication happens in BankID's secure environment

Drop never sees BankID PIN or biometric data

BankID tokens are ~~device-bound~~single-use —and ~~tokens~~time-limited

~~do not transfer to new devices.~~

3. Data Protection

3.1 Secure Storage Policy

~~SQLite~~ ~~/ MMKV~~

Data Type	~~Allowed~~Phase 1 Storage	Phase 2 Storage	Forbidden ~~Storage~~
~~Access~~Bearer token	~~Keychain/Keystore~~AsyncStorage (unencrypted)	~~AsyncStorage,~~expo-secure-store ~~MMKV,~~(Keychain/Keystore)	Hardcoded
Refresh token	~~Keychain/Keystore~~Not implemented	~~AsyncStorage, MMKV~~
~~Encryption key~~expo-secure-store	~~Keychain/Keystore~~	~~Any other storage~~AsyncStorage
User PII	Not cached locally	SQLite (~~encrypted)~~encrypted with SQLCipher)	AsyncStorage
Non-sensitive prefs	AsyncStorage	AsyncStorage	—
Biometric key hash	Not implemented	expo-secure-store	Any other storage

Phase 1 risk: Bearer token stored in AsyncStorage (unencrypted) is the primary security gap. Mitigation: 7-day token expiry limits exposure window. Production apps should implement Phase 2 before launch.

3.2 Data Encryption at Rest

Phase 1: No local database. Auth token in AsyncStorage (unencrypted).

Phase 2 — Database encryption: {{SQLCipher for SQLite | Realm Encryption}}

// SQLCipherPhase initialization2 with— lib/database.ts
import * as SQLite from 'expo-sqlite';
import * as SecureStore from 'expo-secure-store';

async function openDatabase() {
  // Generate encryption key fromon Keystorefirst constlaunch
  encryptionKeylet dbKey = await SecureStore.getItemAsync('db_encryption_key');
  constif db(!dbKey) {
    dbKey = generateRandomKey(256);  // 256-bit random key
    await SecureStore.setItemAsync('db_encryption_key', dbKey);
  }

  return await SQLite.openDatabaseAsync('app.drop.db', { key: encryptionKey,dbKey });
}

~~Key generation:~~ ~~On first launch, generate 256-bit random key, store in Keychain/Keystore.~~

~~Encrypted fields (beyond DB encryption):~~

~~Field~~	~~Encryption~~	~~Key Source~~
~~Payment card (last 4 only stored)~~	~~N/A — tokenized~~	~~Stripe/Braintree~~
~~SSN / national ID~~	~~AES-256-GCM~~	~~Keychain/Keystore~~
~~Private messages~~	~~End-to-end (Signal protocol)~~	~~Derived keys~~

3.3 Sensitive Data in Memory

Rule	Phase 1 Status	Phase 2 Implementation
Clear passwords after use	Partially (useState cleanup)	Overwrite ~~string~~ variable, trigger GC
No ~~sensitive data~~PII in logs	Implemented — no `console.log(user)` in production paths	Custom logger strips PII fields
No ~~sensitive data~~PII in crash reports	TBD — no crash reporting in Phase 1	Sentry `beforeSend` hook scrubs payload
No ~~sensitive data~~PII in analytics	~~Map~~TBD — no analytics in Phase 1	Hash user ~~ID → hashed ID before sending~~IDs

3.4 Screenshot Prevention

Drop displays financial data (balance, transaction amounts). Screenshots should be prevented on sensitive screens.

// iOSPhase 2 — prevent screenshots programmatically
// (Note: React Native does NOT expose this API — native module required)

// Android — prevent screenshots andsensitive screen recording
import { Platform } from 'react-native';protection
import { preventScreenCapture, allowScreenCapture } from 'expo-screen-capture';

// Screens requiring screenshot prevention:
// - Dashboard (shows bank balance)
// - Send Money (shows account balance, transaction amounts)
// - Transaction History (financial data)

useEffect(() => {
  if (Platform.OS === 'android') {
    preventScreenCapture();
  }
  return () => allowScreenCapture();
}, []);

~~Screens~~Note: ~~requiring~~iOS screenshot ~~prevention:~~

prevention

via

expo-screen-capture ~~Payment~~shows /a ~~card details~~blank screen
in ~~Account~~the ~~balance~~app switcher but cannot prevent all screenshots. Android FLAG_SECURE prevents screenshots and screen
~~Personal document viewer~~

{{OTHER_SENSITIVE_SCREEN}}

recording.

3.5 Clipboard Protection

Password fields: secureTextEntry={true} in React Native TextInput — disables clipboard by default on iOS
~~Sensitive~~Transaction ~~data~~amounts ~~programmatically~~copied ~~copied:~~to clipboard: clear ~~clipboard~~ after {{60 seconds}}seconds (Phase 2)
~~Custom~~Account numbers: never copied to clipboard ~~hook:~~by useSensitiveCopy(value,app clearAfterMs:— 60000)shown as masked

4. Network Security

4.1 Certificate Pinning

Current (Phase 1): Not implemented. Standard HTTPS/TLS only.

~~Library:~~Phase 2 implementation: {{react-native-ssl-pinning | OkHttp certificate pinner (Android native) | URLSession (iOS native)}}

// UsingPhase 2 — requires react-native-ssl-pinning or OkHttp pinner
// Pinned endpoints:
// - drop-app.vercel.app (production API)
// - BankID OIDC endpoints

const response = await fetch('https://api.domain.com/endpoint'drop-app.vercel.app/api/transactions', {
  method: 'POST'GET',
  pkPinning:// true,Certificate sslPinning:pinning {configuration certs: ['api_cert_sha256_fingerprint'],
  },here
  headers: { /*Authorization: ...`Bearer */${token}` },
  body: JSON.stringify(payload),
});

~~Pinned endpoints:~~

api.{{domain.com}} ~~— primary API~~

auth.{{domain.com}} ~~— authentication~~

Certificate rotation process:

Pin ~~BOTH~~both current cert and backup cert simultaneously
Deploy app update with new cert added (OTA via EAS Update)
After old cert expires, remove old cert from pins
Test rotation in staging ~~first~~before production

~~Handling pin failures:~~

~~Log as security event to backend~~

~~Show user-facing error: "Secure connection failed"~~

~~Do NOT fall back to unpinned connection~~

4.2 SSL/TLS Configuration

Requirement	Value
Minimum TLS version	TLS 1.2
Preferred TLS version	TLS 1.3
HTTP allowed	No (~~ATS~~Vercel ~~enforced~~enforces ~~on iOS, enforce on Android)~~HTTPS)
Cipher suites	~~Forward-secrecy~~TLS ~~only~~1.3 default (~~ECDHE, DHE)~~forward-secrecy)

iOS App Transport Security (ATS):

No NSAllowsArbitraryLoads: true

All API calls go to https://drop-app.vercel.app (HTTPS enforced)

Android Network Security Config:

<!-- android/app/src/main/res/xml/network_security_config.xml — Phase 2 -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
  <domain-config cleartextTrafficPermitted="false">
    <domain includeSubdomains="true">getdrop.no</domain>
    <domain includeSubdomains="true">drop-app.vercel.app</domain>
  </domain-config>
</network-security-config>

4.3 Network Request EncryptionSecurity

All requests over HTTPS (enforced ~~via~~by ~~ATS + Android network security config)~~

~~Sensitive payloads encrypted at application layer (in addition to TLS):~~ {{Yes/No}}Vercel)
Request signing (HMAC) — not implemented (~~HMAC):~~Phase {{Yes/No}}2)

Application-layer encryption for payment payloads — TBD (Phase 2)

5. Application Security

5.1 Code Obfuscation

Expo

Platform	Tool	Status
Android	~~ProGuard /~~ ProGuard/R8 ~~(enabled~~via byExpo ~~default~~release ~~in release)~~build	`{{Done/TODO}}`Done (Expo default)
iOS	~~Bitcode +~~ Swift compiler optimizations	`{{Done/TODO}}`Done (Expo default)
JavaScript	Hermes bytecode compilation	`{{Done/TODO}}`
~~JavaScript~~Done (~~extra)~~	`{{metro-react-native-babel-preset obfuscation}}`	`{{Done/TODO}}`default)

~~ProGuard rules:~~Hermes: android/app/proguard-rules.proExpo ~~TODO:~~SDK ~~Review~~54 ~~ProGuard~~uses ~~rules~~Hermes by default. JavaScript is compiled to ~~ensure~~bytecode, nomaking ~~over-stripping~~reverse ofengineering ~~reflection-dependent~~significantly ~~code.~~harder than raw JS.

5.2 Root / Jailbreak Detection

Current (Phase 1): Not implemented.

~~Library:~~Phase 2 implementation: {{expo-device | react-native-jail-monkey | custom}}

// Phase 2 — lib/integrity.ts
import JailMonkey* as Device from 'jail-monkey'expo-device';

export function checkDeviceIntegrity(): SecurityResult{ compromised: boolean; reason: string } {
  const isJailbroken = JailMonkey.isJailBroken();
  const isDebuggedBuild = JailMonkey.isDebuggedMode();
  const onExternalStorage = JailMonkey.isOnExternalStorage();
  // Androidexpo-device provides basic device info
  // For more robust detection: react-native-device-info or jail-monkey
  const isEmulator = !Device.isDevice;

  return {
    compromised: isJailbrokenisEmulator ||&& isDebuggedBuild,!__DEV__,
    reason: isJailbrokenisEmulator ? 'jailbroken' : isDebuggedBuild ? 'debug'emulator_in_production' : 'clean',
  };
}

Response to compromised ~~device:~~device (Phase 2):

{{Warn useruser: and"Drop allower ikke tilgjengelig på enheter med modifisert programvare"

Allow use with reducedwarning functionality(not |blocking Blockin accessPhase entirely2) |— Loghigher silently}}blocking for payment flows
~~Justification:~~Log {{Explainsecurity decision}}event to backend

5.3 Tamper Detection

~~App bundle signature verification on launch~~

~~Resource hash verification for critical assets~~

~~Backend validates app version — block known compromised versions~~

5.4 Debug Detection

// Detect if app is running under debugger in production
if (__DEV__ === false && detectDebugger()) {
  logSecurityEvent('debugger_attached');
  terminateSession();
}

Production builds must have:

__DEV__ mode disabled (Expo release build)
~~Console.~~console.log stripped (~~Babel~~Expo/Metro ~~plugin:~~default transform-remove-console)in release builds)
Flipper disabled (Expo default in release builds)
Source maps NOT bundled with the app ~~binary~~— (upload to Sentry ~~separately)~~separately (Phase 2)

5.54 Reverse Engineering Prevention

~~+ fetched from secure config endpoint~~

Measure	~~Implementation~~Phase 1	Phase 2
No hardcoded secrets	~~All~~Done ~~secrets~~— API URL only, no keys	API keys fetched ~~from vault~~ at runtime orfrom ~~injected~~secure ~~via CI~~config
No plain API keys in bundle	~~Obfuscated~~Done	Done
Sensitive logic on server	~~Business~~Done ~~logic~~— ~~requiring~~Drop ~~security~~is ~~stays~~pass-through; ~~backend-~~payments initiated server-side	Done
Binary protection	Hermes bytecode (done)	ProGuard /rules ~~R8 (Android), Bitcode stripping (iOS)~~review

~~TODO:~~ ~~Run MobSF static analysis before each major release and review findings.~~

6. OWASP Mobile Top 10 Checklist

#	Risk	Phase 1 Status	Notes
M1	Improper Credential Usage	`{{Pass/Fail/N/A}}`Partial	~~Tokens~~Bearer token in ~~Keychain,~~AsyncStorage no(unencrypted) ~~hardcoded~~— ~~creds~~Phase 2 fix
M2	Inadequate Supply Chain Security	`{{Pass/Fail}}`Unknown	~~Dependency audit~~ `npm audit` not run in CI yet
M3	Insecure Authentication/Authorization	`{{Pass/Fail}}`Pass	BankID + JWT validated server-side
M4	Insufficient Input/Output Validation	`{{Pass/Fail}}`Pass	~~Zod~~React ~~validation~~Native onTextInput ~~all~~handles ~~inputs~~basic validation; XSS not applicable to React Native
M5	Insecure Communication	`{{Pass/Fail}}`Pass	~~TLS~~HTTPS +enforced; cert pinning Phase 2
M6	Inadequate Privacy Controls	`{{Pass/Fail}}`Partial	Data ~~minimization,~~minimization done; GDPR consent in web app — mobile privacy notice TBD
M7	Insufficient Binary Protections	`{{Pass/Fail}}`Pass	~~Obfuscation,~~Hermes nobytecode; ~~debug~~Expo release build ~~in prod~~
M8	Security Misconfiguration	`{{Pass/Fail}}`Pass	No dev configs in prod ~~build~~build; `__DEV__` disabled
M9	Insecure Data Storage	`{{Pass/Fail}}`Fail	~~Keychain/Keystore~~Bearer +token ~~encrypted~~in DBunencrypted AsyncStorage — fix before production
M10	Insufficient Cryptography	`{{Pass/Fail}}`Pass	~~AES-256,~~TLS ~~SHA-256,~~1.3; no MD5/SHA-1 usage

Critical action before production: M9 (Insecure Data Storage) — migrate Bearer token from AsyncStorage to expo-secure-store. This is the single most important security fix before v1.0 production launch.

7. Security Testing Tools

Tool	Type	When	Output
MobSF (Mobile Security Framework)	Static analysis	Pre-release	Risk report
~~Frida~~`npm audit` / `pnpm audit`	~~Dynamic~~Dependency ~~analysis~~scan	~~Penetration~~Every ~~test~~PR	~~Runtime~~CVE ~~behavior~~report
~~Objection~~Expo Security Checks	~~Runtime analysis~~Build-time	~~Penetration~~EAS ~~test~~Build	~~Bypass~~Security ~~checks~~warnings
Burp Suite	Network proxy	Penetration test	API vulnerabilities
Frida	Dynamic analysis	Penetration test	Runtime behavior
OWASP ZAP	Automated API scan	CI/CD	Vulnerability ~~report~~
`npm audit` / `yarn audit`	~~Dependency scan~~	~~Every PR~~	~~CVE~~ report

Penetration test cadence: {{Annual | Before eachv1.0 majorproduction releaselaunch |(pre-launch), Quarterly}}then annually. Last pentest date: {{DATE}}Not yet conducted. Next pentest date: {{DATE}}Before production launch.

8. Compliance Requirements

~~NotconsentPCI-compliant SDK (Stripe/Braintree) —StorePlaywith~~

Requirement	Applicable	Status	Notes
GDPR (EUEU/EEA users)	`{{Yes/No}}`Yes	~~User~~Partial	Privacy policy at `/privacy`; data ~~deletion,~~deletion ~~export~~via ~~endpoints~~support; consent management in web app
PSD2 (Payment Services Directive 2)	Yes	Pass	PISP/AISP model; Open Banking; pre-payment disclosure implemented
Finanstilsynet (Norwegian FSA)	Yes	In progress	Regulatory compliance ongoing
Hvitvaskingsloven (AML)	Yes	Pass	5-year data retention; KYC via BankID
CCPA ~~(California users)~~	`{{Yes/No}}`No	DoN/A	Norwegian ~~Sell~~market ~~option~~only — no California users targeted
COPPA ~~(under 13)~~	`{{Yes/No}}`No	~~Parental~~N/A	18+ ~~flow~~minimum age (BankID requirement)
PCI DSS ~~(payment data)~~	`{{Yes/No}}`No	~~Use~~N/A	Drop never ~~store~~stores card data — pass-through model
App Store ~~privacy~~Privacy ~~label~~Label	Yes	~~App~~TODO	Must ~~Connect~~complete ~~privacy~~before ~~questionnaire~~submission
Play Store ~~data~~Data ~~safety~~Safety	Yes	~~Google~~TODO	Must ~~Console~~complete ~~data~~before ~~safety form~~submission
HIPAA ~~(health data)~~	`{{Yes/No}}`No	~~BAA~~N/A	No ~~vendors,~~health ~~encryption at rest+transit~~data

9. Security Roadmap

Phase 1 (Current — MVP)

HTTPS/TLS enforced

BankID authentication via expo-web-browser

Hermes bytecode (basic obfuscation)

CRITICAL: Migrate Bearer token to expo-secure-store (before production)

Phase 2 (Pre-Launch)

expo-secure-store for all tokens

Certificate pinning for API endpoints

Biometric authentication (Face ID / Touch ID)

Screenshot prevention on financial screens

Root/jailbreak detection with user warning

Mobile penetration test (MobSF + Burp Suite)

Source maps configured (Sentry, not bundled)

Phase 3 (Post-Launch)

App attestation (Play Integrity API / App Attest)

Transaction anomaly detection

Session device binding

Refresh token rotation

Self-service account deletion (GDPR)

Approval

Role	Name	Date
Author	John (AI Director)	2026-02-23
Mobile Lead
Security Lead
Legal