Authentication and Authorization

So far, we’ve discussed how to protect data at rest and in transit, encrypting it on the device, securing it across the network, and ensuring it’s stored safely on the server. But securing data isn’t just about how it’s stored or transmitted. It’s also about who gets to see it, who can change it, and under what conditions.

This is where authentication (verifying who the user is) and authorization (defining what the user is allowed to do) step in as foundational pillars of secure mobile System Design. They determine whether a request is coming from a legitimate user, and whether that user has the right to perform a given action. Without them, even the most securely stored data risks falling into the wrong hands.

Take a real-world example: imagine you’re building a mobile banking app. The user logs in with biometrics, navigates to their transaction history, and instantly sees recent activity, without any visible delay. Now, pause for a moment and consider: where did the app validate the user? Where was the session stored? How did it know what data this user was allowed to access? And what happens if the user loses connectivity or their access permissions change mid-session?

Unlike web applications, mobile apps cannot securely store client secrets, making traditional OAuthOAuth (Open Authorization) is an open standard for access delegation, allowing apps to access user data on another service without exposing credentials. It enables secure API authorization via access tokens instead of passwords. setups less suitable. As we have discussed before, mobile systems operate in environments where:

• Devices can be rooted or jailbroken.

• Apps can be reverse engineered.

• Network communications may traverse insecure channels (e.g., public Wi-Fi).

• Tokens and credentials may be inadvertently leaked if not handled with care.

In the sections ahead, we’ll explore how to approach authentication and authorization in mobile System Design, from choosing login strategies to securely storing credentials to managing roles and permissions across sessions and platforms.

Authentication in mobile apps

Authentication, in essence, is about answering a single question: Are you who you say you are? But in mobile System Design, this question gets layered with complexity: network reliabilityAuthentication often relies on back-end communication (e.g., token exchange). However, mobile users may be offline, on spotty 3G, or switch networks mid-auth. The system must gracefully handle delays, retries, or fallback authentication., device constraintsMobile devices have limited CPU, storage, and memory. Biometric checks, secure storage, or encryption must be lightweight and optimized—especially for mid-tier or older phones., user expectationsIn mobile apps, users expect to stay signed in. They don’t want to re-enter credentials every time the app closes or crashes. However, from a security standpoint, long-lived sessions are dangerous, especially on shared or compromised devices., and ...