> For the complete documentation index, see [llms.txt](https://halo-dot-developer-docs.gitbook.io/halo-dot/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://halo-dot-developer-docs.gitbook.io/halo-dot/security-guidance.md). # Security Guidance This document provides Guidance for users of the API about how to securely use the API and protect the UI display data on the external application. This guidance document provides guidelines on how applications can be protected and how the user interface plays part in protection of sensitive data. Although we have taken every step we can to ensure that the product itself is secure, here are some simple tips you should follow to ensure that the solution is secure from end to end. Here are some things to take into account; 1. Never store clear text authentication data (JWTS, usernames, passwords, session token etc.) on the device. always encrypt it before storing 2. Never store full card numbers anywhere - masked card numbers are ok (first 6 and last 4 digits visible) 3. Try to encrypt login credentials before submitting to your backend; don't rely heavily on TLS 4. We recommend the use of a code obfuscation tool 5. Ensure that the UI message are displayed and sent through by the SDK and they let the user know what is happening. (app prompts, progress reports, transaction results etc.) 6. Enforce Session Stoppage (ending the session of a user after a certain period of inactivity) 7. Never store a full pan anywhere but only store mask pans. 8. Users must also be cognizant of protecting their own personal information 1. Not show anyone their PIN entry 2. Protect their own card/cellphone details 9. Ensure that the Integrating Application signs the application with appropriate digital certificate. (Leverage Google Play App Signing) for added security 10. Follow Android's best practices for handling app permissions, including runtime permissions before executive sensitive operations. 1. Ensure that the permissions are managed carefully and request permissions to access sensitive resources. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://halo-dot-developer-docs.gitbook.io/halo-dot/security-guidance.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.