Securing Sensitive Data On-Device with Data Vault

(Not applicable to Hybrid Workflow Container) Developers should use a data vault with device applications to securely store “secrets” on the device. Data vaults are added using the DataVault API.

The data vault holds sensitive artifacts securely, because all data or artifacts in the data vault is strongly encrypted with an AES-256 bit key. Contents can include encryption keys, user and application login credentials, sync profile settings, certificates (as BLOBS).

The data vault requires a password to unlock and access the data from the application. Therefore, a device application must prompt the user to enter this password when the application is opened. Once unlocked, the application can retrieve any other secrets from the vault as needed, all without prompting the user.

Administrators should discuss the data vault strategy before it is implemented, especially regarding:

Failed logins – Developers can set the number of failed login attempts allowed before the data vault is deleted. Once the vault is deleted the encrypted databases will be un-useable. The application will need to be re-installed, or re-initialized from scratch including deleting the database files to recover
Timeouts – Developers can also set a timeout value so that the data vault locks itself when it's not in use. The user must re-enter the vault password to resume using the application.

For more details about the data vault, see DataVault in the developer guide for your application type.

Using Login Screens for Data Vaults
An application that implements a login screen is considered to be secure. Mobile application developers are responsible for creating login screens for the applications they create. A login screen allows the device user to enter a passcode to unlock the data vault.

Parent topic: Device Security

Related tasks

Using Login Screens for Data Vaults