# Security Guidance This document provides Guidance for users of the API about how to securely use the API and protect the UI display data on the external application. This guidance document provides guidelines on how applications can be protected and how the user interface plays part in protection of sensitive data. Although we have taken every step we can to ensure that the product itself is secure, here are some simple tips you should follow to ensure that the solution is secure from end to end. Here are some things to take into account; 1. Never store clear text authentication data (JWTS, usernames, passwords, session token etc.) on the device. always encrypt it before storing 2. Never store full card numbers anywhere - masked card numbers are ok (first 6 and last 4 digits visible) 3. Try to encrypt login credentials before submitting to your backend; don't rely heavily on TLS 4. We recommend the use of a code obfuscation tool 5. Ensure that the UI message are displayed and sent through by the SDK and they let the user know what is happening. (app prompts, progress reports, transaction results etc.) 6. Enforce Session Stoppage (ending the session of a user after a certain period of inactivity) 7. Never store a full pan anywhere but only store mask pans. 8. Users must also be cognizant of protecting their own personal information 1. Not show anyone their PIN entry 2. Protect their own card/cellphone details 9. Ensure that the Integrating Application signs the application with appropriate digital certificate. (Leverage Google Play App Signing) for added security 10. Follow Android's best practices for handling app permissions, including runtime permissions before executive sensitive operations. 1. Ensure that the permissions are managed carefully and request permissions to access sensitive resources. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://halo-dot-developer-docs.gitbook.io/halo-dot/security-guidance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.