Checks No Non-SSL connections (http only) Black-box check with proxy, e.g. Charles Proxy Enable Apple Transport Security (ATS) to enforce SSL Make sure all used backend services use TLS v1.2+ and do not allow TLS v1.0 or v1.1 any more Deprecation of TLS 1.0 and TLS 1.1 Make sure to use secure Cipher-Suites (see BSI recommendations ) Make sure servers do not support SSLv3 protocol any more! Make sure your ePrivacy / GDPR and Apple Tracking Transparency ( ATT ) implementation reacts correctly on opt-outs of tracking Consider public key pinning / certificate pinning for additional security vs. man in the middle attacks Make sure all used libs have the latest patches/versions - and are still maintained Make sure to request required permissions only! Make sure no hard-coded client secrets are present See also Secret Management on iOS , Tim Dolenko swift-secrets Use KeyChain for storing data securely and check File Data Protection Avoid screen recording and capturing in production ...