app development<\/a><\/strong> endeavor. <\/p>\n\n\n\nLeverage App Transport Security (ATS) for encrypted connections<\/h2>\n\n\n\n
For apps in regulated industries, the risks of not utilizing ATS are substantial, including violations of compliance regulations and loss of user trust.<\/p>\n\n\n\n
App Transport Security (ATS)<\/strong> is an essential iOS feature you should adopt to enforce encrypted connections between your app and web services. ATS prevents accidental disclosure of data over insecure connections by requiring apps to connect only over HTTPS. For any external service that your iOS app integrates with- that handles protected health information, financial data, or other sensitive user information -confirming ATS compatibility is a must.<\/p>\n\n\n\nWith ATS enabled, you can verify that user data remains securely encrypted in transit and cannot be easily intercepted by third parties. <\/p>\n\n\n\n
Protect sensitive data with iOS data protection<\/h2>\n\n\n\n
For apps dealing with financial account details, healthcare records, or insurance claims, properly utilizing iOS data protection features ensures robust security controls on par with industry expectations. It enables you to secure sensitive user data stored locally on devices.<\/p>\n\n\n\n
iOS implements robust hardware encryption<\/strong> to safeguard files, databases, and other persistent app data. Protecting stored data is accomplished through an integration of file-level encryption and access controls tied to user passcodes and biometrics like Touch ID<\/strong> and Face ID.<\/strong> iOS app developers can designate protected data via file attributes that will automatically encrypt the data, requiring user authentication to decrypt.<\/p>\n\n\n\nManage access controls with care<\/h2>\n\n\n\n
To comply with regulations like HIPAA and GLBA, having granular control over user access to features and sensitive data is essential. iOS provides tools to restrict app functionality and data<\/strong> based on factors like user location, time of day, device state, and more.<\/p>\n\n\n\nFor example, a healthcare application may choose to revoke access to patient records when a device is remotely locked. Or an insurance app may require users to re-authenticate after thirty days to continue accessing a policy file.<\/p>\n\n\n\n
Leveraging the access control mechanisms in iOS allows you to selectively provide and restrict features aligned to industry rules. Document how you are utilizing these controls to demonstrate compliance to regulators.<\/p>\n\n\n\n
Securely store credentials with iOS keychain<\/h2>\n\n\n\n
Securing user login credentials and API keys is imperative for regulated industry apps. The iOS Keychain API<\/strong> enables you to safely persist user IDs, passwords, certificates, and other secrets encrypted on a per-app basis.<\/p>\n\n\n\nUsing Keychain rather than unsecured storage provides \u201cdefense in depth\u201d for protecting accounts on user devices. This helps avoid the liability associated with compromising user credentials due to improper storage.<\/p>\n\n\n\n
Keychain also facilitates single sign-on across apps from the same provider. For example, considering a single organization has two separate mobile applications for banking and trading, the banking app can authorize access to the trading app without re-entering credentials.<\/p>\n\n\n\n
Support device management and conditional access<\/h2>\n\n\n\n
In enterprise settings, apps are commonly required to integrate with a mobile device management (MDM) solution. MDM enables administrative functions like remote device wiping, policy enforcement, and conditional access restrictions.<\/p>\n\n\n\n
Leveraging the MDM APIs in iOS<\/strong> allows your B2B apps to conform to IT admin requirements. For example, an insurance app may rely on MDM to restrict access to policy documents based on time, network, and other criteria set by the MDM server.<\/p>\n\n\n\nDocumenting MDM support can give regulated industry customers confidence that your iOS apps allow critical access controls<\/strong> and administrative capabilities.<\/p>\n\n\n\n