Mobile Security Overview Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka0f0000000axp4kag&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2f30609716-mobile-security-overview
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Mobile Security Overview
Published: Dec 6, 2014   -   Updated: Jun 22, 2018

Please note: this page is no longer being updated and may not show current information.

Okta's Mobile Apps (Okta Mobile and Okta Verify) are designed with the same commitment to security as the Okta service itself. Available on the iOS and Android platforms, Okta's Mobile Apps are a popular and safe way to access your resources. 

Here is a broad overview of techniques used in our Mobile Apps.

Simple Design

To allow for a minimal attack surface, the Okta Mobile Apps are consciously designed to impose few functional requirements. They perform their core functions—nothing else. 

Certs

Okta Mobile ignores self-signed or "bad" certificates. These certificates (certs) will only work for attached services, if installed directly to the device, or if pushed to the device by an admin using MDM profiles. They will never work for the Okta service itself.

The error path does not provide an in-app resolution path. This encourages the use of compliant certs and lowers the risk of the user misevaluating the risk and accessing the app despite the error. 

Screenshotting

Malware frequently targets the platform's built-in Screenshotting capability to acquire PII for exfiltration. These functions are disabled, where permitted, by the platform. 

PIN / Session / Encryption

The device token in the Okta Mobile app is encrypted with the user's pin using AES256 encryption. The token is then stored in the keychain in iOS, which is also be encrypted with the user's device pin/password.

On Android, a key store is encrypted with the user's pin and the device token is then encrypted by an AES256 key. Misentering the pin 3 times wipes the session and the conditional state of the app. Closing the app clears all cookies and sessions from memory and cached data. 

Credentials

Credentials are never stored on the device. 

3rd Party Review

 The applicable apps are regularly reviewed by third-party testers who perform code review, plus penetration and new feature testing.