Hi Team..

We have an offline Pega Mobile app in our solution. Now, a pen test has revealed below issues with the app. Is there way we can address these issues OOTB or otherwise?

1. Sensitive Information Disclosure - Pen testing team used a Process analyser tool look into application files (inside the apk) as well as the in-memory data. They found XML files with sensitive information such as the platforms oAuth client id and secret. Suggestion is to encrypt the files -> configuration files, database files and clean in-memory data when its no longer needed - all from app platform perspective
2. Man in the middle attack - Pen testing team has used a proxy server to imitate a legitimate server with fake (and valid) SSL certificate. The app continued to send and recieve its data without verifying if the certificate belongs to client (it did verify if its a valid certificate - which it is). Suggestion is to perform SSL certificate pinning on the app so that the app doesn't communicate to any other servers that carry different certificate

Please suggest if there are any measures we can undertake to mitigate the above issues?