The app only requests the minimum set of permissions necessary.
All inputs from external sources and the user are validated and if necessary sanitized. This includes data received via the UI, IPC mechanisms such as intents, custom URLs, and network sources.
The app does not export sensitive functionality via custom URL schemes, unless these mechanisms are properly protected.
The app does not export sensitive functionality through IPC facilities, unless these mechanisms are properly protected.
WebViews are configured to allow only the minimum set of protocol handlers required (ideally, only https is supported). Potentially dangerous handlers, such as file, tel and app-id, are disabled.
Object deserialization, if any, is implemented using safe serialization APIs.
The app protects itself against screen overlay attacks. (Android only)
Verify that the app prevents usage of custom third-party keyboards whenever sensitive data is entered (iOS only).