Mobile Access Gateway questions

1. Storage where client certificate is kept - is it INTERNAL storage of the SDK or Keychain of the Android\IOS OS?
2. Can other apps get access to the 'keychain' if it is under SDK storage?
3. inger lock - we understand that mag login (access to key_chain with certificate & OAUTH token) can be made with FINGER LOCK but also with user password? Is this correct, or only finger supported?
4. We want to send the client certificate for each request (Mutual SSL). What is the best way to protect the keychain with fingerprint? Or SDK can reach the keychain without any permissions at any time?

Mobile API Gateway

Q1 Answer: Client certificate is stored in iOS' Shared Keychain Storage.  

Q2 Answer: In short answer, no, it's not accessible from other apps to this data unless otherwise explicitly allowed.  It's in shared keychain storage, so other apps with same Apple developer certificate, and keychain group identifier are able to access, but most of cases, it won't be accessible.

Q3 Answer: If I understand the question correctly, the question is whether the fingerprint session lock is only available through fingerprint or device passcode.  The session lock can be done through fingerprint, device passcode, and/or faceId whichever the ones are available on the device.  It is iOS device level configuration, so whatever the user configures on the device with will be available to lock/unlock the session.

Q4 Answer:  

• Mobile SDK makes ALL requests protected with Mutual SSL.  On the server certificate validation, developers have an option to choose which pinning option that they would prefer, document reference; however, the client certificate is mandatory to communicate to the gateway.
• As it's solely Mobile SDK's job to maintain the security aspect of the mobile application, and maintain and manage keychain storage, Mobile SDK is solely responsible and accessing keychain without any permissions at any given time.  However, Mobile SDK only accesses those data only when it's required, and Mobile SDK does not provide explicit interfaces for developers to access these system data in keychain storage. (although if developers reverse engineer what attributes and options of keychain were used in those system data, developers can access those data directly through Apple's Keychain API; however, Mobile SDK does not provide direct interfaces to access, nor expose these data)