I have a project that allows users to view some sensitive personal content (e.g. medical history, certificates etc) in various formats such as PDF, Word and image files. These content are hosted on a server and users can view it on a web interface at the moment. These attachments are supposedly stored as binary and only generated on the fly when requested.
They would like to have a mobile app that does the same thing. Customer is concerned about security and how these attachments will be viewed from the mobile app. I was thinking that the server can generate those attachments and the mobile app to load it using a webview from a HTTPS URL.
There is always possibilities of MITM attacks if using public Wi-Fi but I think a HTTPS site should be secure enough. I am not sure if there’s any better way. What do you guys think?