Youreka Mobile Security Overview
Note: There are two versions of this article. One for the old Youreka mobile app, available until mid-2024, and one for the current mobile app, available October 2022. This version is intended for users of the Current Youreka Mobile app. To access the article for the old Youreka mobile app, click here.
Youreka’s mobile application for iOS and Android leverages industry best practices for mobile authentication and local storage. It utilizes OAuth 2.0 PKCE (Proof Key for Code for Exchange) for user authentication and session management. It utilizes secure encrypted local storage via a SQLite database.
Authentication Process (OAuth 2.0 PKCE)
First Time Authorization Flow
- User launches the Youreka app.
- User selects or enters a login domain.
- A Salesforce authentication prompt appears rendered using the system browser (following best practice).
- User enters a Salesforce username and password.
- Salesforce authenticates the user and responds with an authorization code. The app then requests an access token and refresh tokens using this authorization code. This is done to prove to Salesforce that the client requesting the token is the same client that successfully authenticated.
- User approves the Connected App's request to grant access.
- User is granted permission to user the app.
Online Authorization
- User opens a mobile app.
- If the access token is still valid, as confirmed by Salesforce, the app starts immediately. If the access token is no longer valid, the app uses the refresh token from its initial authorization to get an updated access token.
- The app resumes.
Offline Authorization
- User opens a mobile app while offline.
- The app checks for the presence of an access token from a previous session.
- If present, the app resumes. If not, the user must login to use the app.
Local Data Storage
- Youreka utilizes is stored in a SQLite database.
- It is encrypted via SQLCipher using 256-bit AES encryption.
- A PIN/Biometric locking system is on by default to protect against device theft/snooping.
- The secret for the encrypted database is securely stored in the native keystore/keychain.
- Upon logout all local data is destroyed.
Comments
0 comments
Please sign in to leave a comment.