Security & Best Practices

Mobitru MCP is designed to operate securely within your organization’s controlled environment.
The following guidelines summarize the recommended security controls and operational practices to safeguard credentials, data, and device access in enterprise deployments.

Common recommendations:

  • Artifacts and logs remain in the local persistent workspace (~/.mobitru-mcp). 
  • All communication between MCP clients and Mobitru servers is encrypted via HTTPS/TLS 1.2+.
  • API keys are securely scoped to your organization and stored locally only. 
  • No customer data is sent outside your controlled environment.
  • Treat DEVICE_FARM_API_KEY as a secret. Prefer env managers or VS Code secret storage.
  • Avoid NODE_TLS_REJECT_UNAUTHORIZED=0 outside staging.
  • Release devices after use to free capacity.
  • Prefer resign (no injection) for iOS unless injection is explicitly required.

Additional recommendations:

  • Restrict inbound access to MCP servers via firewall or VPN (e.g., allowlist CI/CD IPs only).
  • Rotate API keys and TLS certificates periodically.
  • Validate server certificates before connecting MCP clients (avoid self-signed certs in production).
  • Sanitize logs to remove sensitive data (tokens, credentials, user PII).
  • Regularly update MCP to the latest stable release for security patches.
  • Run MCP services under non-root users where possible.
Scroll to Top