Cryptographic security protects information from wiretapping in transit, but endpoints can still be vulnerable. A TLS-secured connection isn't sufficient to protect a user's sensitive information if the server at the other end of that connection is impersonating the system the user wants to reach, or if a legitimate system has been hacked.

A mobile device can empower its user to authenticate to Web-based services using methods stronger than simple passwords. It can generate one-time passwords for display and entry by its user, or can perform key-based cryptographic operations to demonstrate a user's identity within a protocol.

Federated identity and related protocols, such as SAML, OpenID, and the eXtensible Access Control Markup Language (XACML) can serve new and valuable roles now that mobile devices are powerful enough to operate as service providers in themselves and as users' data is dispersed across numerous cloud-based platforms.

Many mobile apps communicate data back to sites operated by the organizations that provide the apps. The apps can provide valuable services for their users, but may also serve their providers by collecting information. To maintain an individual's security and privacy, especially as mobile devices accumulate apps from multiple sources, it's important to constrain what data each app can access within a device.