Skip to main content

Standards alignment — patient mobile (React Native)

Version: 1.0
Date: 2026-03-31

Normative module mapping (web + mobile) lives in INTERNATIONAL_STANDARDS_AND_ENTERPRISE_ALIGNMENT.md. This document is a mobile implementation checklist—not a second source of FRs.

1. Identity and session

CheckReference
Authorization Code + PKCE for public clientTECHNICAL_REQUIREMENTS.md §3, AUTH_AND_SESSION.md
Refresh tokens only in secure storage (Keychain / SecureStore)AUTH_AND_SESSION.md
tenantId / patient identity from verified JWT onlySPEC.md FR-PORT-002
Biometric unlock is local only; does not replace server session policySPEC.md NFR-PORT-006
CheckReference
Push payloads without PHI unless policy explicitly allowsSOLUTION_DESIGN.md BR-PORT-003, SPEC.md NFR-PORT-004
Deep links auth-gated; no sensitive IDs in URLs without server validationSPEC.md NFR-PORT-005, PUSH_AND_DEEP_LINKS.md

3. Accessibility and UX

CheckReference
WCAG 2.1 AA patient-facing; 2.2 stretchSPEC.md NFR-PORT-003, NFR-PORT-008
Platform HIG: VoiceOver/TalkBack, dynamic type, logical focus (incl. RTL)I18N_AND_RTL.md, UI_UX_PATTERNS.md

4. Application security (OWASP-style)

Align reviews with COMPLIANCE_SECURITY.md §7 (OWASP ASVS) and OWASP Mobile Top 10 categories in threat modeling:

  • M1: improper platform usage (URL schemes, WebView config)
  • M2: insecure data storage (no refresh tokens in AsyncStorage)
  • M3: insecure communication (TLS only; optional pinning per policy)
  • M4: insecure authentication (session fixation, weak PKCE)
  • M5: insufficient cryptography (use OS APIs)
  • M6: insecure authorization (IDOR — always server-resolved patient context)
  • M7: client code quality (lint, typecheck, supply chain)
  • M8: code tampering (optional Play Integrity / App Attest for high-risk tenants only)
  • M9: reverse engineering (obfuscation not a substitute for server-side authz)
  • M10: extraneous functionality (debug bridges disabled in release)

Optional hardening (tenant policy / threat model): certificate pinning (INTERNATIONAL_STANDARDS_AND_ENTERPRISE_ALIGNMENT.md §2.5), App Attest / Play Integrity for sensitive actions.

5. Privacy and logging

CheckReference
No PHI in default app logs or crash breadcrumbsCOMPLIANCE_SECURITY.md §8; AI-related logging limits: FR-NFR-018 in EHR_FUNCTIONAL_REQUIREMENTS.md
Subprocessors / analytics under DPA where GDPR appliesCOMPLIANCE_SECURITY.md §8

6. Clinical and API boundaries

CheckReference
No /internal/* from mobileAPI_PATH_CONVENTIONS.md
Policy filtering server-side; never client-only redactionSPEC.md §11
First-party app only; third-party SMART apps out of scope unless program existsSPEC.md §7