10.02.2017

ENISA updates Smartphone Secure Development Guidelines

Smartphone Secure Development Guidelines (pdf)
This document is an updated version of the Smartphone Development Guidelines published by ENISA in 2011. New developments in both software and hardware have been translated into new significant threats for the mobile computing environment, highlighting the need for an update of the document (published February 10, 2017).
Source: ENISA

According to ENISA, The guidelines aim to cover the entire spectrum of attacks which developers of smartphone applications should consider when building mobile apps. These include:
  • Identify and protect sensitive data
  • User authentication, authorization and session management
  • Handle authentication and authorization factors securely on the device
  • Ensure sensitive data protection in transit
  • Secure the backend services and the platform server and APIs
  • Secure data integration with third party code
  • Consent and privacy protection
  • Protect paid resources
  • Secure software distribution
  • Handle runtime code interpretation
In addition, new sections have been added to cover new attacks, abusing biometrics and clients:

  • Device and application integrity
  • Protection from client side injections
  • Correct usage of biometric sensors