The app is signed and provisioned with a valid certificate, of which the private key is properly protected.
The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable).
Debugging symbols have been removed from native binaries.
Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have been removed. The app does not log verbose errors or debugging messages.
All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities.
The app catches and handles possible exceptions.
Error handling logic in security controls denies access by default.
In unmanaged code, memory is allocated, freed and used securely.
Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated.