If mobile, is the application available from a trusted source (e.g., App Store, Google Play Store)?
Explanation
Distribution trust is the focus for mobile apps: the question is whether yours is published through official channels like the Apple App Store or Google Play rather than side-loaded sources.
Why this matters for security:
- App stores perform security reviews and malware scanning before allowing apps to be published
- App stores enforce code signing requirements that verify the authenticity of the app
- App stores provide a controlled update mechanism to ensure users receive security patches
- Users are trained to trust these official channels and be suspicious of apps from other sources
- Sideloading apps (installing from outside official stores) bypasses these security controls
This question helps assessors understand if your organization follows standard security practices for mobile app distribution. If you distribute your app through unofficial channels, it raises concerns about the app's integrity, the update process, and potential security vulnerabilities.
When answering this question:
- Specify which official app stores your mobile application is available from
- If you use enterprise distribution methods (like Apple Enterprise Program), explain the controls in place
- If you use alternative distribution methods, explain why and what security measures you've implemented
- Select N/A only if you truly don't have a mobile application component
Guidance
Select N/A if there is no mobile version of your app.
Example Responses
Example Response 1
Yes, our mobile application is available exclusively through official trusted sources The iOS version is distributed through Apple's App Store, and the Android version is available on Google Play Store Both versions undergo the respective platform's security review processes before publication We maintain developer accounts in good standing with both platforms and follow their security guidelines for app submissions All app updates are pushed through these official channels to ensure users receive the latest security patches.
Example Response 2
Yes, our mobile application is primarily distributed through the Apple App Store for iOS users and Google Play Store for Android users Additionally, for our enterprise customers, we utilize Apple's Enterprise Developer Program and Android Enterprise to distribute specialized versions with enhanced security features These enterprise distribution methods still maintain the security benefits of code signing and controlled distribution, but allow us to provide custom functionality not appropriate for general public release We do not allow installation from unknown sources.
Example Response 3
No, our mobile application is not currently available from trusted sources like the App Store or Google Play Store Instead, we distribute our Android application as an APK file that users must sideload onto their devices, and our iOS application requires users to jailbreak their devices for installation We chose this approach because our application requires deep system access that would not be permitted by the official app stores' policies We recognize this creates security concerns, and we're working to redesign our application to comply with app store requirements by Q3 of this year In the meantime, we've implemented code signing and host our APK files on a secure server with TLS encryption and authentication requirements.
Context
- Tab
- Infrastructure
- Category
- Application/Service Security
Related questions
- Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?
- Are you using a web application firewall (WAF)?
- Are only currently supported operating system(s), software, and libraries leveraged by the system(s)/application(s) that will have access to institution's data?
- Does your application require access to location or GPS data?
- Does your application provide separation of duties between security administration, system administration, and standard user functions?
- Do you subject your code to static code analysis and/or static application security testing prior to release?

