Critical Mobile App Security Controls

Control Name

Critical Mobile App Security Controls

Recommended Configuration

• Block Jailbroken Device - Select "Active" and Severity Level
• Block Man In The Middle Attack - Select "Active" and Severity Level
• Minimum OS Version - Select "Active" and Severity Level. Specify the minimum OS (operating system) version the user's mobile device must meet.
• Maximum OS Version - Select "Active" and Severity Level. Specify the maximum OS (operating system) version the user's mobile device can't exceed.
• Minimum Application Version - Select "Active" and Severity Level. Specify the minimum app version that must be installed on your user's mobile device.
• Maximum Application Version - Select "Active" and Severity Level. Specify the maximum app version that can be installed on your user's mobile device.
• Check Biometric Login Data - Select "Active" and Severity Level.
• Log Out User After Changing Biometric Login Data - Select "Active"
• Log Out User After Device Restart - Select "Active"
• Blocked Device List - Select "Active" and specify the value
• Allowed Device List - Select "Active" and specify the value
• Block OS Share Actions - Select "Active"
• Disable URL Caching - Select "Active"
• Maximum Days Offline Without Policy Refresh - Select "Active" and specify the value
• Block File Backup - Select "Active"
• Log Security Policy Evaluation Result - Select "Active"
• Log Screenshot - Select "Active"

Control Overview

This suite of controls enforces a "Zero Trust" mobile environment by validating device integrity (jailbreak detection), operating system and application health (OS/App versioning), and data perimeter protections (blocking backups, caching, and share actions).

Security Risk If Not Configured

Sensitive data resides on unmanaged devices that may have compromised operating systems, outdated security patches, or local storage vulnerabilities that allow other malicious apps to scrape Salesforce data.

Threat Scenarios

An attacker exploits a "Man-in-the-Middle" vulnerability on public Wi-Fi to intercept unencrypted traffic, or a user’s stolen phone is easily bypassed because biometric changes didn't trigger a logout, allowing full access to the Salesforce app.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Failure to enforce mobile security leads to large-scale PII leakage through local device backups or OS-level share actions.

Higher Risk When

Employees use "Bring Your Own Device" (BYOD) without these controls, as the company has no visibility into whether those devices are rooted, jailbroken, or running end-of-life software.

Low Risk When

These policies are paired with a centralized Mobile Device Management (MDM) solution that provides an extra layer of remote wipe and encryption capabilities.

Business and Integration Considerations

Implementing strict OS and App version requirements may temporarily lock out users with older hardware, requiring a clear internal communication plan and hardware refresh budget to avoid disrupting field operations.

Recommended Remediation

Go to Setup>Mobile App Security, activate each specific policy (for example, Block Jailbroken Devices, Disable URL Caching), and set the Severity Level (for example, "Block" to prevent non-compliant devices from connecting). Choose the severity level appropriate for the action required (for example, critical, error, warn, info).

Security Health Review Guidance

Security Health Review identifies these mobile-specific controls as the "Hardened Perimeter" for remote work, so that the Salesforce app remains a secure sandbox even when deployed on untrusted or personal hardware.