# Security > **Note**\ > This subsection describes security mechanisms specific to the Aurex mobile application. The Aurex mobile app follows the same security model as the web platform while introducing **additional protections tailored for mobile usage**. *** #### Authentication and session security Access to the mobile app requires: * valid Aurex account credentials, * an active authenticated session, * device-level protection where available. User sessions are **securely managed** and can be invalidated at any time. *** #### Device-based protection {% hint style="warning" %} **Important**\ The mobile app relies on **device-level security features** provided by the operating system. {% endhint %} This may include: * biometric authentication (Face ID / fingerprint), * device passcode protection, * secure OS-level storage for session data. Exact availability depends on the user’s device and system configuration. *** #### Sensitive actions Certain actions inside the mobile app may require **additional verification**, including: * one-time passwords (OTP), * re-authentication prompts, * temporary session confirmation. This helps reduce the risk of unauthorized access if a device is compromised. *** #### Data handling * No private keys are stored directly in the mobile app. * Sensitive data is transmitted over **encrypted channels**. * Account-critical logic remains server-side. > **Note**\ > The mobile app does not introduce new custody or key management responsibilities. *** #### Account control Users retain full control over their account: * sessions can be revoked from other devices, * access can be restored through standard recovery procedures, * security changes apply across web and mobile simultaneously. *** #### Security boundaries {% hint style="danger" %} **Important**\ API keys and developer credentials are **never exposed** to the mobile application. {% endhint %} The mobile app operates strictly as a user-facing interface. *** #### Summary * Mobile app security is aligned with the web platform * Device-level protections enhance account safety * All critical security controls remain centralized