Mobile App Storage
Personal information, user credentials, and cryptographic keys should all be safely stored in the system's dedicated credential storage facilities.
No private data should be kept anywhere other than the app container or the system credential storage facilities.
No private information is ever recorded in application logs.
Except where it is strictly required by technical design, no private information is ever transmitted to outside parties.
When handling private information, the keyboard cache is cleared before accepting the input.
No private information is leaked due to IPC protocols.
Authentication information such as passwords and PINs are never displayed in plain text.
No private information is saved in backups made by the mobile operating system.
Once the software is put into the background, any private information is hidden from view.
No private information is kept in app memory for any longer than is absolutely necessary, and all app data is deleted when the app is closed.
The program requires the user to set a passcode on their device as part of a minimal security policy for accessing their device.
The app informs the user on what kinds of personally identifiable information are collected and stored, as well as what the user may do to protect their data.
No private information should ever be kept on the device's local storage. Instead of permanently storing data locally, it should be cached in RAM and accessed from a distant endpoint as needed.
Authentication-required hardware storage should be used to derive an encryption key for any sensitive data that must be kept locally.
After a certain number of unsuccessful authentication attempts, the app should delete all of its local data.