Link to this headingContainer Checklist

  • Sensitive data (e.g. usernames, passwords or encryption keys) is not written to the filesystem unencrypted.

    • [iOS]
    • [Android]

  • Crash Data is not stored unencrypted outside the secure Container

    • [iOS]
    • [Android]

  • Data from the Containerized Application can not copy data outside the System

    • [iOS]
    • [Android]

  • Adding data to the Keyboard Cache should not be able to retrieve data outside the container

    • [iOS]
    • [Android]

  • Use long press to Share Data outside of the container

    • [iOS]
      • AirDrop
      • Media Playback
    • [Android]

  • Filenames relating to user data (such as downloaded files, cached files) are obfuscated or encrypted

    • [iOS]
    • [Android]

  • Log can not be viewed in the application

    • [iOS]
    • [Android]

  • Containerized data is not cached outside of the container unencrypted.

    • [iOS]
    • [Android]

  • When a device goes out of policy all container application information is deleted

    • [iOS]
    • [Android]

  • Bookmarks, Cookies and web history are properly stored within the encrypted container.

    • [iOS]
    • [Android]

  • A screenshot of a managed application’s UI is not saved or is obscured when switching between applications on the device.

    • [iOS]
    • [Android]

  • Screenshots are disabled while a managed application is being used.

    • [iOS]
      • Also Enable Assistive Touch and test
    • [Android]

  • Notifications containing information from within the container are disabled when a device goes out of policy.

    • [iOS]
    • [Android]

  • Filenames of files downloaded in a managed application are not disclosed in notifications.

    • [iOS]
    • [Android]

  • Managed applications implement a PIN or password lock screen.

    • [iOS]
    • [Android]

  • Managed applications have a lockout time with a PIN or password lock screen.

    • [iOS] What is the Application timeout?
      • Does the application need a PIN when the application is forcefully Killed?
    • [Android] What is the Application timeout?
      • Does the application need a PIN when the application is forcefully Killed?

  • Users are not permitted to set a weak PIN (e.g. 1234, 0000, etc).

    • [iOS]
      • Also check if the iOS pin is not a weak PIN
    • [Android]
      • Also check if the Android pin is not a weak PIN

  • Managed applications lock users out after a certain number of invalid PIN attempts

    • [iOS]
    • [Android]

  • Managed applications do not log sensitive data.

    • [iOS]
    • [Android]

  • Managed applications do not expose any Inter-Process Communication (IPC) endpoints insecurely.

    • [iOS]
    • [Android]

  • All traffic is sent through a secure tunnel.

    • [iOS]
    • [Android]

  • The browser application does not permit loading sites with insecure SSL/TLS settings

    • [iOS]
    • [Android]

  • Managed applications implement certificate pinning that cannot be bypassed by off-the-shelf tools.

    • [iOS]
    • [Android]

  • The solution implements root / jailbreak detection in a way that is difficult to reverse engineer and bypass.

    • [iOS]
    • [Android]

  • The solution implements runtime checks to prevent hooking and debugging.

    • [iOS]
    • [Android]

  • The solution implements binary integrity checks to prevent modifying and repackaging.

    • [Android]
    • [iOS]

  • Managed applications are obfuscated to make reverse engineering of critical components more difficult.

    • [Android]
    • [iOS]