Mobile App Security - STRIDE Threat Model | PrimeThreat
Examples Mobile App

Mobile App Security

iOS/Android application with backend API. The device is untrusted territory - assume the attacker has full control of the client.

Mobile Architecture

End-to-end mobile application security from device to backend data stores.

DeviceuntrustedMobile AppKeychainBiometricNetworkuntrustedTLS/PinningProxyAPI Gatewaysemi trustedRate LimitAuthWAFBackendtrustedAPI ServerAuth ServicePush ServiceDatahighly trustedDatabaseStorage

The Device is Enemy Territory

Never trust the mobile client. Attackers can jailbreak/root devices, hook functions with Frida, bypass SSL pinning, decompile the app, and modify requests. All validation must happen server-side. The client is only for UX - never for security.

Mobile Device

Untrusted client with local storage and biometrics.

Network Layer

TLS with certificate pinning. Assume network is hostile.

API Gateway

Rate limiting, authentication, and WAF protection.

Backend Services

API server, auth service, and push notifications.

Data Layer

Database and file storage. Most trusted zone.

Previous
Kubernetes