# Mobile Application Security Security is a critical aspect of mobile application development and must be carefully considered at every stage of the development lifecycle.\ The following guidelines highlight important security best practices that should be followed when developing mobile applications using ONEWEB. *** ### Understand the Security Model of Cordova Applications Since a Cordova application is built from **HTML and JavaScript assets** that are packaged inside a native container, the application code should **not be considered inherently secure**. Client‑side resources such as HTML, CSS, and JavaScript can potentially be accessed or modified by an attacker. As a result, sensitive logic and security‑critical operations must never rely solely on client‑side implementation. *** ### Validate All User Inputs on the Server Side All user inputs must be **validated on the server side** before processing or forwarding data to backend services. Although client‑side validations can be useful for improving user experience, they should not be trusted for security enforcement. Attackers can manipulate HTML and JavaScript assets, bypassing client‑side validation logic entirely.\ Server‑side validation ensures that data integrity and security policies are reliably enforced. *** ### Avoid Caching Sensitive Information Sensitive information should **never be cached on the device**. Data stored locally may later be accessed by: * Unauthorized users * Malicious applications * Compromised devices This includes, but is not limited to: * Authentication credentials * Personal identifiers * Security tokens * Confidential business data Any sensitive data should be handled securely and stored only when absolutely necessary using secure storage mechanisms. *** ### Use InAppBrowser for External Links When opening external websites or web content, always use the **InAppBrowser** instead of embedding the content directly or whitelisting external domains. Using InAppBrowser is safer because: * It leverages the **native browser’s security features** * The external website does **not gain access to the Cordova environment** * It reduces the risk of exposing application internals to untrusted content This approach provides a controlled and secure separation between the mobile application and third‑party web content. *** ### Summary Following these security practices helps ensure that mobile applications built with ONEWEB are more resilient against common attack vectors: * Do not trust client‑side code for security * Always validate user inputs on the server * Never cache sensitive information on the device * Use InAppBrowser for all external web content By incorporating these principles into your development workflow, you can significantly reduce security risks and build more secure mobile applications. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onewebstack.com/building-apps/ui-page-designer/ux-ui-components/pages/create-your-first-mobile-app/mobile-application-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.