Please note: this page is no longer being updated and may not show current information.
Here is a broad overview of techniques used in our Mobile Apps.
To allow for a minimal attack surface, the Okta Mobile Apps are consciously designed to impose few functional requirements. They perform their core functions—nothing else.
Okta Mobile ignores self-signed or "bad" certificates. These certificates (certs) will only work for attached services, if installed directly to the device, or if pushed to the device by an admin using MDM profiles. They will never work for the Okta service itself.
The error path does not provide an in-app resolution path. This encourages the use of compliant certs and lowers the risk of the user misevaluating the risk and accessing the app despite the error.
Malware frequently targets the platform's built-in Screenshotting capability to acquire PII for exfiltration. These functions are disabled, where permitted, by the platform.
PIN / Session / Encryption
The device token in the Okta Mobile app is encrypted with the user's pin using AES256 encryption. The token is then stored in the keychain in iOS, which is also be encrypted with the user's device pin/password.
On Android, a key store is encrypted with the user's pin and the device token is then encrypted by an AES256 key. Misentering the pin 3 times wipes the session and the conditional state of the app. Closing the app clears all cookies and sessions from memory and cached data.
Credentials are never stored on the device.
3rd Party Review
The applicable apps are regularly reviewed by third-party testers who perform code review, plus penetration and new feature testing.