Sophie Laurent, YuSMP Group
Sophie Laurent Legal & Compliance Lead, YuSMP Group · GDPR, CCPA, EU AI Act, data protection

Why mobile security is a 2026 board issue

Three developments have converged to make mobile app compliance a C-suite topic in 2026. First, the European Data Protection Board’s coordinated enforcement actions now explicitly target mobile applications: decompiling APKs and IPAs, running network monitors against installed apps, and comparing the technical reality to disclosed privacy practices. The gap between “what the privacy policy says” and “what the app actually does” is no longer a theoretical risk — it is the primary thing regulators are measuring.

Second, the fine landscape has escalated. Under GDPR Article 83, violations can reach €20 million or 4% of global annual turnover, whichever is higher. Several major 2025 enforcement actions targeted SDK integrations and ad-ID tracking specifically — practices that remain common in apps built without a compliance review.

Third, app stores have raised their own requirements. Apple’s Privacy Nutrition Labels require accurate disclosure of every data type your app and its SDKs collect. Mismatches between declared and actual data collection result in app rejection and, increasingly, referrals to data protection authorities. Google Play’s Data Safety section carries the same expectations.

The practical conclusion: security and privacy compliance can no longer be retrofitted after launch. They must be engineered in from sprint one. This is exactly the approach our mobile app development team follows, with security baked into delivery rather than reviewed at the end.

RegulationWho it coversKey mobile obligation
GDPRAny app processing EU residents’ data, worldwideLawful basis, consent, data minimisation, breach notification, DPAs with processors
CCPA / CPRAApps with California users; revenue or data volume thresholdsOpt-out of sale/sharing, GPC signal, privacy policy, data subject requests
ATT (Apple)All iOS apps performing cross-app trackingExplicit user consent before accessing IDFA or cross-app tracking
GDPR Art. 33 (breach)All GDPR-covered controllersNotify supervisory authority within 72 hours of becoming aware

Privacy and security by design

GDPR Article 25 mandates “data protection by design and by default.” For mobile apps this is not a documentation exercise — it is an engineering requirement that shapes every architectural decision.

Data minimisation at design time. Before writing a line of code, map every data point your app will collect and challenge each one: is it necessary for the stated purpose? If a feature works without a user’s precise location, use coarse location or none. If analytics do not require a unique identifier, use aggregate counts. The smallest data surface is also the smallest breach surface.

Pseudonymisation and separation. Where personal data is needed for analytics or testing, pseudonymise it. Store identifiers separately from behavioural data so that a breach of one does not expose the full profile. Hashed user IDs in analytics events, not emails or phone numbers.

Security controls at the architecture layer. Authentication, authorisation, session management and data isolation must be in the architecture before the first feature is built. Bolting on security after launch is expensive; bolting it on after a breach is catastrophic.

Default to privacy. “By default” in Article 25 means that without any action by the user, only the minimum data necessary is processed. Opt-in for optional data processing, not opt-out. Permissions requested on first run that are not immediately needed will be denied by most users and flagged in App Store review.

For apps with health, financial or biometric data — see our HIPAA for health apps guide for the additional layer of technical safeguards required in the US.

GDPR requires a lawful basis for every processing activity. For most consumer mobile apps, consent (Article 6(1)(a)) is the appropriate basis for anything beyond the core service — analytics, personalisation, marketing. Consent under GDPR must be:

  • Freely given — the app must function without the user consenting to optional processing. Blocking access until consent is granted (consent walls) is invalid under EDPB guidance.
  • Specific and granular — one checkbox for all tracking is not valid. Analytics, advertising, and third-party sharing each require a separate consent toggle.
  • Informed — the user must understand what they are consenting to in plain language, not legal text.
  • Unambiguous and active — pre-ticked boxes are not valid. The action must be an affirmative gesture: a tap, a toggle turned on.
  • Easily withdrawable — withdrawing consent must be as easy as giving it, available at any time from within the app settings.

A data deletion path is not optional. Users have the right to erasure under GDPR Article 17. Your app and backend must be able to delete or anonymise all personal data associated with a user upon request, within one month. Design this into the data model before launch — retrofitting deletion into a denormalised schema is one of the most expensive compliance corrections we see.

Mobile app consent screen showing granular privacy toggles for analytics and personalisation
Granular, freely given consent: each data processing purpose has its own toggle. Pre-ticked boxes and consent walls are invalid under GDPR and EDPB guidance.

The third-party SDK problem

A typical production mobile app integrates between 10 and 30 third-party SDKs: analytics (Firebase, Mixpanel, Amplitude), advertising (Meta Audience Network, AdMob), crash reporting (Crashlytics, Sentry), attribution (Adjust, AppsFlyer), customer support (Intercom), and more. Each one is a data processor for which you, as the controller, are legally responsible.

The practical problem is that most SDKs send data to servers you do not control, under terms you may not have read, to countries that may not have an adequacy decision. From GDPR’s perspective, your app is doing all of that — because you included the SDK.

What the 2026 enforcement environment means concretely: regulators are decompiling apps and running network monitors to identify SDKs that transmit data without disclosed lawful basis. Advertising SDKs that collect device fingerprints, precise location, or identifiers without consent have triggered significant fines in the past 18 months. The App Store Privacy Nutrition Label requires you to accurately declare data collected by every SDK you include — not just your own code.

The compliance requirements for third-party SDKs:

  1. Inventory every SDK. Before launch, enumerate every library in your dependency tree (including transitive dependencies). Tools like Exodus Privacy or manual network analysis will surface what each one actually sends.
  2. Justify each one. What is the lawful basis for the data it collects? Consent for advertising SDKs; legitimate interest must be balanced against user expectations and will rarely hold for tracking.
  3. Sign Data Processing Agreements. GDPR Article 28 requires a written DPA with every processor. Most major SDK vendors provide standard DPAs in their developer consoles — sign them and keep records.
  4. Configure minimisation settings. Major SDKs offer privacy-mode configurations: disable advertising IDs, limit data collection to aggregates, opt out of third-party data sharing. Use them by default.
  5. Gate on consent. Initialise advertising and tracking SDKs only after the user has consented to the relevant purpose. Defer initialisation, not collection configuration.
  6. Prune aggressively. If you cannot justify an SDK’s data flows, remove it. A leaner SDK footprint is faster, more secure, and more defensible.

If your app processes health or financial data, the SDK risk is amplified — consider on-device processing where possible. Our article on on-device AI keeps data on device covers this architectural pattern in depth.

Encryption in transit and at rest

GDPR Article 32 explicitly lists encryption as an appropriate technical measure. For mobile apps this translates to two distinct requirements with no meaningful grey area.

Encryption in transit. All communication between the app and your servers must use TLS 1.2 or higher. Both iOS and Android enforce this by default through App Transport Security (ATS) and Network Security Configuration respectively, but misconfigured exceptions are common and must be audited. For sensitive endpoints — authentication, payment, health data — implement certificate pinning to prevent man-in-the-middle attacks. Do not accept self-signed certificates in production builds.

Encryption at rest. Personal data stored on the device must be encrypted. iOS Keychain and Android Keystore provide hardware-backed secure storage for credentials, tokens and sensitive values — use them. For larger data sets (local databases, cached user records), use SQLCipher or the platform’s encrypted file APIs. Full-device encryption is enabled by default on modern iOS and Android, but you must ensure your app stores sensitive data in locations that are included in the encrypted scope and excluded from iCloud or Android Backup if they contain personal data that should not leave the device.

No secrets in the bundle. API keys, credentials, private keys, and any value that should not be public must never be embedded in the compiled app binary. Decompilation tools can extract hardcoded strings in minutes. Use secure server-side token exchange at runtime, or sealed secrets services. Treat the app bundle as public.

Authentication and token storage. Tokens (JWT, OAuth refresh tokens) must be stored in Keychain (iOS) or EncryptedSharedPreferences / Keystore-backed storage (Android). Never in UserDefaults, SharedPreferences, or local storage. Implement token rotation, short expiry for access tokens, and secure token revocation on logout.

Secure mobile data encryption flow showing Keychain and TLS layers
Encryption in transit (TLS + certificate pinning) and at rest (platform Keychain / Keystore) are the two non-negotiable layers. No secrets in the bundle — treat the compiled binary as public.

App Tracking Transparency and ad IDs

Apple’s App Tracking Transparency (ATT) framework, mandatory since iOS 14.5, requires apps to obtain explicit user permission before accessing the Identifier for Advertisers (IDFA) or performing cross-app tracking — defined as linking user data from your app with user data from other apps, websites, or offline properties for advertising targeting or measurement.

The ATT prompt must be shown before any tracking begins, must include a purpose string explaining why tracking is requested, and cannot be manipulated to coerce users into accepting. Apple reviews purpose strings and has rejected apps for misleading language. If the user declines, the IDFA is zeroed out and cross-app tracking is prohibited. You may use contextual signals and on-device measurement that do not cross the tracking definition, but attribution networks that rely on fingerprinting to circumvent ATT are explicitly prohibited and have been the subject of App Store rejections and regulator referrals.

The opt-in rate for ATT across the industry sits at roughly 25–35% depending on vertical and prompt quality. Your advertising architecture in 2026 must be viable for the majority of users who decline.

On Android, the Advertising ID (GAID) remains available but Google’s Privacy Sandbox for Android introduces attribution APIs that do not share user-level data with advertisers, mirroring the iOS direction. Apps targeting Android 13+ must declare ADID permission and respect the “opt out of ads personalisation” system setting. Handle both flows correctly from the start; do not assume GAID availability.

From a GDPR perspective, cross-app tracking for advertising purposes requires explicit consent as the lawful basis regardless of what ATT says — ATT is a platform control, not a GDPR consent mechanism. Separate the two flows: collect ATT permission from the OS, and a GDPR-compliant consent from the user, and initialise tracking SDKs only when both are affirmative.

US: CCPA/CPRA and state laws

The California Consumer Privacy Act as amended by the CPRA gives California residents rights over their personal data that closely parallel GDPR, with some key differences in how they apply to mobile apps. If your app meets the thresholds (annual gross revenue over $25 million; buying, selling, or receiving personal information of 100,000+ consumers per year; or deriving 50%+ of annual revenue from selling personal information), you must comply.

The headline obligation for mobile is the right to opt out of the “sale or sharing” of personal information, which includes sharing data with advertising networks for cross-context behavioural advertising even without monetary consideration. This means a “Do Not Sell or Share My Personal Information” mechanism must be accessible in your app for California users. The Global Privacy Control (GPC) browser signal must be honoured; an equivalent opt-out signal for mobile apps is being standardised but not yet uniformly required — implement a manual opt-out in settings for now.

Beyond California, 2026 sees comprehensive state privacy laws active in Virginia (VCDPA), Colorado, Connecticut, Utah, Texas, Florida, Montana, Oregon, and several more. The obligations vary, but the core pattern is consistent: transparency, opt-out of targeted advertising, data subject rights (access, deletion, correction), and data processing agreements with service providers. Building a privacy architecture that satisfies GDPR will largely satisfy this state-law landscape — the consent bar is higher in Europe and the structural requirements are similar. Read more on GDPR for US founders selling to the EU for the cross-border compliance strategy.

Note that security patching is part of ongoing compliance, not a one-time gate. When a dependency has a CVE, the clock starts immediately — see our companion piece on why security patching is ongoing maintenance, not a launch deliverable.

Breach response (the 72-hour rule)

GDPR Article 33 requires notification to the competent supervisory authority within 72 hours of becoming aware of a personal data breach. This is not 72 hours after the breach is confirmed or investigated — it is 72 hours after you have reasonable grounds to believe a breach has occurred. The clock starts with awareness, not certainty.

For mobile apps, the most common breach scenarios are: server-side database exposures that include app users’ data; authentication token theft (through compromised secrets or insecure storage); third-party SDK breaches where a vendor’s infrastructure is compromised; and unauthorised access to backend APIs due to broken authorisation.

Your breach response plan must be written before it is needed:

  • Identify your lead supervisory authority (the DPA in the EU member state where your main establishment is, or where the majority of affected data subjects are if you have no EU establishment).
  • Document the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or planned to address it — this is the required content of the DPA notification under Article 33(3).
  • If the breach is likely to result in high risk to the rights and freedoms of individuals (e.g., financial data, health data, authentication credentials), notify affected users directly under Article 34, without undue delay.
  • Maintain an internal breach register — even breaches that do not meet the threshold for notification must be documented.

The 72-hour window is short. Teams that have not practiced the process — identifying the scope of affected data quickly, notifying the right DPA, drafting user communications — will almost certainly miss it. Run a tabletop exercise before launch.

Pre-launch security and GDPR checklist

Walk this list before you submit to the App Store or Play Store. Each item is a legal or security obligation, not a best-practice suggestion.

  • Consent flow implemented — granular, opt-in, freely given; withdrawal as easy as giving; consent state stored and respected by SDK initialisation.
  • SDK inventory complete — every SDK identified including transitive dependencies; lawful basis documented for each; DPAs signed with all processors; privacy-mode settings configured.
  • Encryption in transit — TLS 1.2+ on all endpoints; no ATS exceptions in production; certificate pinning on sensitive endpoints.
  • Encryption at rest — credentials and tokens in Keychain / Keystore; sensitive database content encrypted; no personal data in unencrypted local storage.
  • No secrets in the bundle — no API keys, private keys or credentials in the compiled binary; verified by static analysis before submission.
  • ATT prompt implemented (iOS) — purpose string reviewed; tracking SDKs initialised only after ATT and GDPR consent both affirmative; fallback architecture for non-consent users.
  • Data deletion path — in-app account deletion or deletion request flow that wipes all personal data within one month; tested end-to-end including downstream systems.
  • Privacy policy matches runtime — network traffic audit completed; App Store Privacy Nutrition Label and Play Data Safety form match actual data flows including all SDKs.
  • Breach response plan — written; lead DPA identified; notification template drafted; internal breach register in place; tabletop exercise run.
  • Least-privilege permissions — only permissions used by a live feature are declared; all permission requests explained with contextual justification at the point of use.
  • Secure auth and token storage — short-lived access tokens; refresh token rotation; secure logout (token revocation); no tokens in logs or analytics events.

FAQ

Does GDPR apply to my mobile app?

Yes, if your app processes personal data of EU residents — regardless of where your company is based. GDPR has extraterritorial scope: a US startup whose app is used by anyone in the EU must comply with the full regulation, including lawful basis, consent where required, data subject rights, and breach notification. In 2026 the EDPB’s enforcement focus is on whether your runtime data flows match your disclosed practices.

How many third-party SDKs is too many?

There is no hard legal number, but every SDK is a data processor for which you are legally responsible. A typical app runs 10–30 SDKs covering analytics, ads, crash reporting and attribution. Each must be inventoried, justified under a lawful basis, covered by a Data Processing Agreement, and configured to minimise data collection. Prune aggressively: if you cannot justify an SDK’s data flows, remove it before launch.

What encryption does a mobile app legally need?

GDPR Article 32 requires appropriate technical measures including encryption. In practice: TLS 1.2+ for all network traffic with certificate pinning on sensitive endpoints; encryption at rest for personal data using platform Keychain (iOS) or Keystore (Android); no credentials, API keys or personal data in plain text in the app bundle, SharedPreferences or unprotected files. Health and financial data require the highest protection classification.

What is App Tracking Transparency and is it mandatory?

ATT is Apple’s framework requiring explicit consent before accessing the IDFA or performing cross-app tracking — linking user data from your app with data from other companies’ apps or websites. It is mandatory on iOS: without the ATT prompt, your app cannot perform cross-app tracking, and Apple will reject apps that bypass it. On Android the Advertising ID with Google’s Privacy Sandbox is the equivalent. From a GDPR perspective, ATT and GDPR consent are separate obligations: collect both before initialising tracking SDKs.

What must I do within 72 hours of a mobile data breach?

Under GDPR Article 33, notify the relevant supervisory authority within 72 hours of becoming aware of a breach involving personal data. The notification must describe the nature of the breach, categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed. If the breach poses high risk to individuals, also notify affected users directly under Article 34. Maintain an internal breach register for all incidents, even those below the notification threshold.

Last updated 19 June 2026.