Mobile device security Application preference data, such as favorites and the mobile navigator items are stored and cached locally to the application. All data is encrypted using standard OS encryption. User credentials are never stored. The mobile interface is effectively a mobile optimized browser, so acts the same as any other browser. The instance itself logs the user on, and therefore uses SAML/SSO, not the endpoint. For more information on SAML/SSO, see Mobile single sign on. Administrators can disable user access to the native mobile app by changing the glide.ui.m.native_apps_enabled system property to false. Disabling the app for specific users is unavailable, however administrators can customize the mobile experience for users by role. Mobile app stored passwords When you sign in to the native app on your mobile device, the app stores your SSO password. The iOS app uses OAuth for authentication. For more information on configuring the lifespan of the token, see Mobile single sign on. Local storage The operating systems for both iOS and Android handle local storage. iOS uses the keychain, which iPhone and iPad HSM backs up. Android hardware for encryption varies by manufacture but hardware backed encryption exists for major Android phones. Users can download attachments on Android devices as well as iOS. There is no way to disable that. On Android, the information is stored in the applications data folder /data/data, which can end up on the phone SDCard. Authentication User credentials are never stored on the iOS application. Authentication uses OAuth 2.0, which exchanges tokens between the mobile application and the instance. These tokens provide scoped access between the app and instance, while never having to physically store the users credentials. The native mobile app does not use additional PIN functionality. Using a PIN or Touch ID to sign in to the app is not supported. Users can only sign in with the standard platform password. Any additional device security is the responsibility of the phone owner. Permissions The native mobile app enforces the same permissions as the instance. The app requires the following access rights. Location: Precise location based on GPS and network Photos/media/files: Read the contents of your USB storage. Modify or delete the contents of USB storage. Storage: Read the contents of your USB storage. Modify or delete the contents of USB storage. Camera: Take photos and video. Receive data from the Internet. View network connections. Full network access. Prevent device from sleeping. Data Data is stored on both the app and in the cloud. Application preference data, such as favorites and the mobile navigator items are stored and cached locally to the application. The apps enforce and transmit data over HTTPS connections. Push notifications display without authentication. Customize the title and message of the notification to prevent unnecessary information from displaying on a locked mobile device. For more information on customizing push notifications, see Push notifications. Approvals also display push notifications in the mobile app. The platform uses account lockouts and Splunk alerts to detect and automate restrictions for nefarious behavior. Security controls are built around the data-end as the platform is a SaaS offering. While the mobile app does provide some additional features, such as REST APIs for things like authentication and Connect Chat, the mobile app is a browser connecting to a SaaS environment. All protective technologies that work on the web work for mobile devices.