The assumption that internal apps need less security than public-facing ones is dangerously wrong. Internal apps often handle more sensitive data — employee records, operational procedures, facility layouts, safety compliance evidence — and run on devices that leave the corporate network daily. A lost field tablet with an unencrypted local database is a data breach, regardless of whether the app was ever listed on a public store.
Authentication and session management
Single sign-on (SSO) integration through SAML or OpenID Connect should be the default authentication path for any internal app. Building a custom username/password system duplicates identity management, introduces password storage liability, and creates yet another credential for employees to manage. Connecting to the organization’s existing identity provider — Azure AD, Okta, Ping — centralizes access control and enables immediate deprovisioning when an employee leaves.
Session tokens must have bounded lifetimes. A refresh token that never expires on a shared field device means every subsequent user inherits the previous user’s access. Token lifetime should balance usability against risk: short-lived access tokens (15–30 minutes) with refresh tokens that expire at shift boundaries work well for most field applications.
Biometric authentication (fingerprint or face recognition) adds a practical second factor without the friction of SMS codes or hardware tokens. On managed devices, biometric enrollment can be verified through the MDM, ensuring that only authorized biometric profiles unlock the app. The critical nuance is fallback handling: if biometric authentication fails, the fallback should be SSO re-authentication, not a local PIN that bypasses the identity provider entirely.
Data protection on the device
Data-at-rest encryption is non-negotiable. Both iOS and Android provide full-disk encryption by default on modern devices, but application-level encryption adds defense in depth. SQLCipher for SQLite databases and encrypted shared preferences for configuration data ensure that a compromised device yields encrypted blobs, not readable records.
Sensitive data should never persist longer than necessary. Cached authentication tokens, downloaded documents, and locally stored records should be purged on logout, on session expiration, and on MDM-triggered wipe. The app’s data lifecycle policy must be explicit: what is stored, where, for how long, and what triggers deletion.
Certificate pinning prevents man-in-the-middle attacks by ensuring the app communicates only with servers presenting a known certificate or public key. For internal apps communicating with known backend services, pinning is straightforward — the certificate inventory is small and controlled. Implementation should use public key pinning rather than certificate pinning to survive routine certificate rotation, and must include a pinning failure reporting mechanism to distinguish attacks from misconfiguration.
Secure development practices
Internal apps deserve the same secure development lifecycle as external products. Static analysis tools (SonarQube, Checkmarx, or platform-specific analyzers) should run in the CI pipeline. Dependency scanning must flag known vulnerabilities in third-party libraries — internal apps are not exempt from supply chain attacks.
Code obfuscation receives less attention for internal apps, but it remains relevant. A decompiled APK from a lost device reveals API endpoints, authentication flows, and business logic. ProGuard/R8 on Android and bitcode compilation on iOS raise the effort required to reverse-engineer the app without eliminating it entirely. The goal is deterrence, not invulnerability.
Penetration testing should occur before initial deployment and annually thereafter. Internal apps tend to accumulate permission creep — accessing location, camera, contacts, and storage beyond what the core workflow requires. Regular security reviews catch these expansions before they become entrenched.
Takeaway
Internal mobile apps operate in threat environments that differ from consumer apps but are no less serious. Lost devices, shared hardware, and access to sensitive operational data demand rigorous authentication, encryption, and ongoing security review. Treating internal apps as low-risk because they are not public-facing is the fastest path to a preventable breach.