The application must not display sensitive user data in well-readable, bright and large fonts unless it is required and without a specific user requirement. This is because the data can be read on the screen of the devices being used.
It should also be noted that the levels of protection applied are dependent on the specific use. For example, if the application is not on all client servers, it does not contain sensitive user data and does not work with valuable internal algorithms, then it does not make sense to overcompensate it. However, if the application is focused, for example, on performing banking operations or storing user passwords, the security level must be the highest.
However, the aforementioned general vulnerabilities of the mobile sector are easily excluded from the application. Usually, this does not entail additional costs if application developers began to use the required level of protection in the early stages of development. But the implementation of the »Post-factum protection« in an already running application can be linked to the time and effort of application developers.