You are here:
Strongly Recommended Mobile App Security Controls
This control set enforces a hardened mobile environment.
Control Name
Strongly Recommended Mobile App Security Controls
Recommended Configuration
- Authentication Server Certificate Pinning - Select "Active"
- Resource Certificate Pinning - Select "Active"
- Require Device Passcode - Select "Active" and Severity Level.
- Block 3D Touch - Select "Active"
- Block Microphone - Select "Active"
- Block Camera - Select "Active"
- Block Contacts - Select "Active"
- Block Calendar - Select "Active"
- Mobile Browser URI Scheme - Select "Active" and specify the value
- Phone Call Application Handler - Select "Active" and specify the value
- Block Screenshot - Select "Active"
- Log Email - Select "Active"
- Log Phone Call - Select "Active"
- Log SMS - Select "Active"
- Block Custom Keyboard - Select "Active"
- Enable Strict Data Leak Protection Controls - Select "Active"
Control Overview
This control set enforces a hardened mobile environment by mandating cryptographic certificate pinning, local device authentication, and strict hardware-level restrictions to prevent unauthorized data exfiltration.
Security Risk If Not Configured
Without these policies, mobile devices become vulnerable to man-in-the-middle attacks through intercepted network traffic and local data theft if the device is lost, stolen, or compromised by malicious third-party applications.
Threat Scenarios
An attacker uses a compromised wireless network to intercept unpinned application traffic or exploits a rogue custom keyboard to log sensitive keystrokes and credentials directly from the mobile interface.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
The absence of these protections allows for the interception of encrypted traffic, the bypass of local device security, and the unauthorized transfer of corporate data through hardware features like the camera, microphone, and clipboard.
Higher Risk When
Employees use personal, unmanaged devices to access sensitive customer information or when the mobile application is used in high-threat public network environments.
Low Risk When
If the mobile devices are already managed by a robust enterprise mobility management solution that enforces system-wide encryption and remote wipe capabilities.
Business and Integration Considerations
Implementing these strict controls may affect the user experience by disabling common features like copy-paste or third-party keyboards, potentially requiring specialized training for mobile workers.
Recommended Remediation
Go to the Mobile Security section in Setup and activate the specific policies for certificate pinning, device passcodes, and data leak protection (for example, Block controls) for the mobile application. Where applicable, choose the severity level appropriate for the action required (for example, critical, error, warn, info).
Security Health Review Guidance
Security Health Review identifies these policies as strongly recommended depending on the mobile app use case as these controls help make sure that the application remains secure regardless of the underlying device health or network integrity.
