Least privilege and zerotrust mindset

Every component (API, mobile app, background worker) gets only the minimal access it truly needs. Sensitive operations are further locked behind stepup authentication and additional checks.

Separation of concerns

• Business logic, cryptographic operations, identity management, and data access are clearly separated.
• Sensitive operations (key usage, signing, verification) are isolated in dedicated services or hardwarebacked modules.

Strong identity binding

• Onetime, verified onboarding (eKYC, ID documents, or enterprise identity sources).
• Persistent binding of user identity to their device and cryptographic keys (device fingerprint, secure hardware key storage, TPM/Secure Enclave/TEE).

Hardwarebacked key protection

• Signing keys are generated and stored in HSM, TPM, or mobile secure hardware (Secure Enclave on iOS, TEE/StrongBox on Android).
• Private keys are never exposed to the app; signing is done via secure OS/hardware APIs.

Transactionlevel confirmation

• Users see what they are signing: humanreadable transaction details (amounts, recipients, document hashes).
• Each signature request includes a unique challenge (nonce) and is timelimited to prevent replay attacks.
• Highrisk actions can require explicit user confirmation with a PIN, biometric, or an additional factor.

Endtoend protection

• All communication between mobile app and backend is protected with TLS, certificate pinning where appropriate, and strict validation of server certificates.
• Signed payloads include timestamps and unique IDs to prevent tampering, replay and reuse.

Multiple factor types

• Something the user knows: PIN or password (stored and validated securely).
• Something the user has: registered device, bound via secure keys and device identifiers.
• Something the user is: biometrics (fingerprint, face recognition) via OS APIs.

Secure token and key handling

• OTP seeds, signing keys and access tokens are stored in OS secure storage (Keychain, Android Keystore) or hardwarebacked stores.
• No secrets are stored in plain text or embedded in application code.

Phishing & replay resistance

• Pushbased MFA with transaction details (“Approve login from X at time Y”) instead of just “Yes/No”.
• Use of signed challenges: the app signs a serverissued challenge, making codes nonreusable.
• Optional device binding & detection of suspicious contexts (impossible travel, unusual devices).

Secure communication

• TLS everywhere, strong cipher suites, HSTS, and optional mutual TLS for critical internal communication.
• Defense against MITM by validating certificates and optionally applying certificate pinning in mobile apps.

Robust authentication & authorization

• Standardsbased protocols: OAuth2.1, OpenID Connect, FIDO2/WebAuthn when applicable.
• Finegrained authorization (roles/claims/policies) with clear separation between user and admin operations.
• Stepup authentication for sensitive actions (remote signature, changing security settings, highvalue transactions).

Hardening of clients

• Obfuscation and hardening of mobile apps to make reverse engineering more difficult.
• Detection of rooted/jailbroken devices and blocking or downgrading trust when necessary.
• Secure local storage, strict clipboard usage, and protection against screenshot/overlay attacks where applicable.

Monitoring, logging & incident response

• Security focused logging: authentication attempts, failed MFA, signature operations (with data minimization).
• Anomaly detection (suspicious login patterns, failed attempts, device changes).
• Clear processes for revoking devices, keys and sessions in case of loss or compromise.