What is stored on the mobile device and how is it protected?
There are no user credentials stored on the mobile device or in the app. The only data stored in the mobile device is:
- the app ID and token used when communicating to the server
- user profile (email address, first & last name)
- device id for push notifications
- biometric token key (only accessible when authenticated with a second factor – either biometric or a custom pin)
- encrypted custom pin and salt for encryption
All data stored on mobile devices is protected by cryptographic means. Cyberus Key utilizes Keychain Services for iOS and AES encryption for Android (the AES secret key is encrypted with RSA and the RSA key is stored in the Android Keystore system) to secure configuration and transaction data. Additionally, all the stored data is constrained to be accessed only with either biometry or a passcode on the device and only if the user has been authenticated.