Best practices
Below are best practices we encourage you to keep in mind while developing your app for use with SPiD.
Input
Don't assume input is valid. Always sanitize it, consider keeping a whitelist for what characters are accepted, check that the length of the string is acceptable etc.
Passwords
Never save a user's password in memory or file, or print in logs. Instead use it to get hold of an access token which you use when sending requests to SPiD.
Access tokens
Access tokens are stored by our SDKs, if you need it you can get it from there. Don't store it yourself.
Secrets
As mobile apps can easily be decompiled it's hard to protect the integrity of the client secrets. We recommend that you do not store the credentials as a constant or in a settings file but rather try to split it into segments, shift characters by an offset or rotate it. These methods won't stop a determined attacker but is better than just keeping it as plain text.
Webview vulnerabilities
Don't enable JavaScript unless you must as it can create security issues that can be exploited. If you do make sure you do not navigate to other websites other then your own or SPiD's.
OWASP Mobile
Stay updated and learn the most common exploits for mobile applications and how to prevent them. OWASP Mobile keep a well updated list with explanations.
Native mobile development
- Overview
- Getting started
- Self Service
- Register
- Login
- Android
- iOS
- Best practices
Help us improve
Did you spot an error? Or maybe you just have a suggestion for how we can improve? Leave a comment, or better yet, send us a pull request on GitHub to fix it (in-browser editing, only takes a moment).
Comments/feedback
Do you have questions, or just want to contribute some newly gained insight? Want to share an example? Please leave a comment. SPiD reads and responds to every question. Additionally, your experience can help others using SPiD, and it can help us continuously improve our documentation.