The European Union Agency for Network and Information Security (ENISA) has published an updated version of its Smartphone Secure Development Guidelines. This document details the risks faced by developers of smartphone application, and provides ways to mitigate these.
The original version of the Guidelines was published in 2011. The update was made available on 10 February. “New developments in both software and hardware have been translated into new significant threats for the mobile computing environment, highlighting the need for an update”, ENISA writes.
The guidelines detail 13 types of risk, including sensitive data, software flaws and (abuse of) biometric sensors. For each, the ENISA experts provide recommendations to reduce the risk of abuse. For example, to identify and protect sensitive data on mobile devices, ENISA recommends that software developers begin with classifying in the design phase data storage for passwords, personal data, location, and other sensitive records such as error logs. They can then process, store and use these data according to its classification, and validate the security of API calls.
The guide includes three new sections, on device and application integrity, on protection from client side injections, and on the correct usage of biometric sensors. ENISA warns for example that mobile apps that interact with other apps or sensors can pose security risks, and recommends building-in checks. They ask developers to always check for biometric sensors, such as a fingerprint reader or iris scanner, and make sure these are used correctly.