Developing Secure Mobile Applications: Best Practices

---
description: Enforce secure coding practices in mobile application development to protect user data and privacy.
globs: ["**/*.swift", "**/*.kt", "**/*.java", "**/*.dart"]
tags: [security, mobile, best-practices]
priority: 1
version: 1.0.0
---

# Developing Secure Mobile Applications: Best Practices

## Context
- Applicable during the development of mobile applications to ensure robust security measures are implemented.
- Aims to protect user data and privacy by adhering to established security standards.

## Requirements
- **Input Validation**: Validate and sanitize all user inputs to prevent injection attacks such as SQL injection and cross-site scripting (XSS).
- **Data Encryption**: Encrypt sensitive data both at rest and in transit using strong encryption algorithms (e.g., AES-256 for data at rest and TLS 1.3 for data in transit).
- **Authentication and Authorization**: Implement strong authentication mechanisms, including multi-factor authentication (MFA), and enforce proper authorization checks to ensure users have access only to permitted resources.
- **Avoid Hardcoding Secrets**: Do not hardcode sensitive information like API keys, database credentials, or passwords into the source code. Store such information securely using environment variables or secure storage solutions.
- **Regular Security Audits**: Conduct regular code reviews and vulnerability assessments, including static and dynamic analysis, to identify and mitigate potential security issues.
- **Secure Session Management**: Use secure session management practices, including generating secure session IDs, setting appropriate session expiration times, and utilizing secure cookies to protect user sessions.
- **Dependency Management**: Keep all third-party libraries and dependencies up to date to mitigate known vulnerabilities.
- **Error Handling and Logging**: Implement secure error handling to avoid exposing sensitive information through error messages, and maintain comprehensive logging to monitor and respond to security events.

## Examples

<example>
**Good Example**: Implementing input validation in Swift to prevent SQL injection.

let userInput = getUserInput()
guard let sanitizedInput = sanitizeInput(userInput) else {
    // Handle invalid input
    return
}
let query = "SELECT * FROM users WHERE username = ?"
let statement = try db.prepare(query)
try statement.bind(sanitizedInput)
let results = try statement.run()
</example>

<example type="invalid">
**Bad Example**: Hardcoding API keys in Kotlin.

val apiKey = "1234567890abcdef"
val url = "https://api.example.com/data?api_key=$apiKey"
</example>