Mobile App Security and Encryption Overview

Metric Insights mobile applications are built to ensure security, reliability, and data privacy. Both iOS and Android apps protect user information through encryption and secure communication with the Metric Insights server, while storing only the data needed for smooth operation.

This article explains how the mobile apps handle communication, authentication, data storage, and notifications.

NOTE: See Authentication and App (Portal Page) Access Flow for Lightweight Mobile Apps for details on how Lightweight Mobile Apps function.

Table of contents:

Communication and Authentication

Across both iOS and Android, all mobile applications share a consistent approach to authentication and secure communication:

  1. HTTPS is used for all requests to the Metric Insights server.
  2. Passwords are never stored, only short-lived authorization tokens and cookies are retained.
    • Tokens and cookies are securely stored using platform-provided mechanisms:
      • iOS: Stored securely in the Keychain.
      • Android: Encrypted via the Android Keystore system.
  3. Mobile VPN clients are supported.
  4. Biometric authentication (Touch ID/ Face ID / Fingerprint) is supported for authentication in the full mobile app.

Data Storage

Full Mobile App

The following information may be stored for both iOS and Android full mobile apps:

  • PDFs generated to display Reports and External Reports;
  • Server URL (includes server version number);
  • Recent searches (last 5 entries) to populate the search history in Analyst Mode;
  • Authorization tokens and cookies;
  • Fiscal periods (downloaded during login for charting);
  • Data removed after logout or instance change;
  • Custom application, only if it has predefined server URL and App (Portal Page) name.

Additionally, the following data is stored for Android full mobile app only:

  • User email;
  • User name;
  • Metadata about each object for object generation in "Analyst Insights" homepage view;
  • Metric data is stored for rendering Metrics in more recent versions;
  • Images and Dataset Reports (stored as PDF files) are stored locally in sandboxed directories that cannot be accessed by other applications.

Lightweight Mobile App

Lightweight apps are designed for environments with strict security or limited functionality requirements. They store only the minimum information necessary for authentication and session continuity:

  • Server URL;
  • Authorization tokens;
  • Cookies.

Notifications

Full Mobile App

Both iOS and Android full mobile apps support push notifications (for alerts and bursts) through the Apple Push Notification Service (APNS) or Firebase Cloud Messaging (FCM).

Lightweight Mobile App

Both iOS and Android lightweight mobile apps do not support push notifications, as they only render portal pages within a secure WebView context. No configuration for push services is required.