Security Checklist for Mobile Banking Apps (2026)

Transport Security

• Enforce TLS 1.2+ — reject TLS 1.0/1.1 connections at the server level
• Implement SSL/TLS certificate pinning — pin to leaf cert hash, not CA root
• Include a backup pin for cert rotation without forcing an app update
• Enable App Transport Security (ATS) with no exceptions — never use NSAllowsArbitraryLoads in production
• Validate the full certificate chain, not just the leaf

Request Integrity

• Sign API requests with HMAC using a per-session secret — prevents request tampering
• Include a timestamp nonce in every request to prevent replay attacks (±5 min window)
• Use Authorization: Bearer <token> headers — never put tokens in query strings
• Implement request rate limiting on the server — expose to mobile via HTTP 429 with Retry-After
• Return generic error messages — never expose stack traces, DB errors, or field validation details to the client

What Goes Where

• Keychain: Tokens, passwords, private keys, PINs — use kSecAttrAccessibleWhenUnlockedThisDeviceOnly
• CoreData / SQLite: Financial records — encrypt at rest using SQLCipher or iOS Data Protection class NSFileProtectionComplete
• UserDefaults: Non-sensitive UI preferences only — never store tokens, account data, or PII here
• Cached images/PDFs: Encrypt the NSURLCache and mark files with NSFileProtectionComplete
• Clipboard: Clear clipboard contents containing sensitive data after 60 seconds

Encryption Standards

• Use AES-256-GCM for symmetric encryption — provides both confidentiality and integrity
• Use the Secure Enclave for key storage when available (iPhone 5s and later)
• Never hardcode encryption keys — derive them from user credentials + device-bound secret
• Wipe sensitive data from memory explicitly after use — zero-fill sensitive byte arrays

Jailbreak Detection

Jailbroken devices bypass iOS sandbox protections — Keychain items can be extracted, SSL pinning bypassed, and runtime behavior modified. No detection is 100% reliable, but layered checks raise the cost of attack significantly:

• Check for presence of /Applications/Cydia.app, /usr/bin/ssh, /bin/bash
• Attempt to write outside the app sandbox — should fail on non-jailbroken devices
• Check if fork() succeeds — restricted on non-jailbroken iOS
• Verify the app's code signature at runtime
• Use multiple independent checks — don't rely on a single signal
• On detection: degrade gracefully — warn user, disable high-risk features, log the event server-side

Runtime Attack Detection

• Detect if a debugger is attached using PT_DENY_ATTACH — terminates debug sessions in production
• Check for method swizzling on security-critical code paths
• Detect if running in a simulator — disable production credentials in simulator builds
• Use DeviceCheck and AppAttest (iOS 14+) to verify app integrity server-side

Kill Switches

• Build a remote feature flag system — ability to disable any feature without an app update
• Build a forced-update mechanism — ability to block old app versions immediately
• Build server-side session revocation — invalidate all sessions for a user or all users instantly

Detection & Response Playbook

• Define P0/P1/P2 severity levels with response SLAs before launch
• Assign a security incident owner — single point of accountability
• Prepare user notification templates for credential exposure scenarios
• Know your regulatory notification obligations: PCI-DSS requires 72-hour breach notification, GDPR even faster
• Run tabletop exercises quarterly — simulate a breach scenario with your team