Page 126 - GIGW2

P. 126

CH 11 Mobile App Guidelines

and the backend APIs. Also developers should always keep in mind that the
mobile device is liable to be easily misplaced/lost and the user may also use open
networks where data can be easily compromised.
a. Wherever possible sensitive information must not stored be on the
mobile.

b. App should be checked against the mobile app security
https://www.owasp.org/images/1/1b/Mobile_App_Security_
Checklist_0.9.3.xlsx

c. Mobile app and APIs MUST be security audited by Cert-in
empanelled vendors.

d. Follow platform specific Security best practices.

Android
https://developer.android.com/training/articles/security-tips.html

IOS: https://developer.apple.com/security/
e. Only HTTPS must be used to access APIs

11.5.8 App Expiry
Due to increased visibility and ease of use mobile apps are launched for time
bound events such as elections, examinations etc. Hence purpose and relevant
timelines should be clearly indicated for the app. On completion of pre-decided
timeline the app should be removed from the play-store. In addition to this the
app should also be able to generate notification on the installed device informing
the user about the end of the life cycle.

11.5.9 Data Capture for key elements
The data capture for key elements of the App Such as Aadhar, Voter-ID, PAN,
Vehicle numbers, employee-id, beneficiary-id etc. may be read as QR CODE
(2D Barcode) in order to eliminate typo errors and to provide service instantly.
Care should be taken to implement the guideline form UIDAI whenever Aadhar
number and e-KYC details are used.

11.6
Hosting

11.6.1 Mobile API Hosting
a. Security Audited APIs MUST be hosted in highly secure data centers

112

121 122 123 124 125 126 127 128 129 130 131