Most mobile breaches aren't sophisticated. They're a hardcoded API key, a forgotten debug flag, or a token in plaintext AsyncStorage.
The OWASP Mobile Top 10 (2024) is your checklist — work it every release.
Tokens live in the OS keychain via expo-secure-store, never AsyncStorage. Period.
Certificate pinning for sensitive endpoints, pinned to the SPKI hash, with a backup pin and a rotation plan.
AI-generated code is untrusted input — review auth, storage, and network code with the same rigor as a new contributor's PR.







