This is a requirements checklist for OST Platform clients to check the readiness of their application’s integration with OST Platform SDKs. You will need to confirm that you have followed and implemented these requirements before being permitted to move to Production (mainnet).
Server Side Checklist
|User credentials are secure (The sub-bullets below are exemplary and not exhaustive):|
|A unique secret is generated (recovery passphrase prefix) for each user:|
|The application uses TLS for network communication to its backend|
|Production backend servers, databases, and other resources have restricted access|
|The SDK is implemented in your application such that it never accesses the user’s keys directly. (Wallet SDK should always be used for all interactions with keys.) |
|User PIN and Mnemonic phraser are explicitly wiped from App memory (specifically needed for Android) after its purpose and never stored/saved on device or server or any other medium in any form e.g. clear text or encrypted. Check here for more information.|
|Sensitive information such as the user's PIN, Mnemonic phrase, recovery passphrase prefix, private keys are not logged or sent to third-party applications in any form (e.g. text, image, screen-grab, crash-report, analytics, etc).|
|Recovery flows are supported in the app |
|The SDK is implemented without any modifications as described here:|
User Experience Checklist
|Your application does not initiate a transaction signed by the user’s keys without explicit action from the user within the application.|
|App analytics systems do not capture screenshots of screens with sensitive information such as Mnemonics. Generally, application tracking and analytics systems should be configured to avoid capturing sensitive user information.|
Security Audit Recommendation
We strongly recommend that your application is reviewed by security assessors/auditors to evaluate the general security of the application and also an analysis of the security vulnerabilities caused by the usage of 3rd party libraries and other dependencies.
Please write to us at firstname.lastname@example.org if you face any issues fulfilling these requirements.