ENISA and OWASP Issue Smartphone Secure Development Guidelines
The European Network and information Security Agency (ENISA) and OWASP have published a report for secure development guidelines on mobile devices. Written for smartphone application developers, the report lists ten critical areas to consider when creating the next Angry Birds, or the ultra-portable office solution.
In addition to the ten controls, the report offers other tips including three that standout:
• Run apps with the minimum privilege required for the application on the operating system. Be aware of privileges granted by default by APIs and disable them.
• Don’t authorize code/app to execute with root/system administrator privilege
• Ensure logging is done appropriately but do not record excessive logs, especially those including sensitive user information.
On Demand Webcast: Protecting Corporate Data in Mobile Apps
As for the controls themselves, the list includes:
• Identify and protect sensitive data on the mobile device
• Handle password credentials securely on the device
• Ensure sensitive data is protected in transit
• Implement user authentication and authorization and session management correctly
• Keep the backend APIs (services) and the platform (server) secure
• Secure data integration with third party services and applications
• Pay specific attention to the collection and storage of consent for the collection and use of user’s data
• Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls, etc…)
• Ensure secure distribution/provisioning of mobile applications
• Carefully check any runtime interpretation of code for errors
To see all of the 67 recommendations for mobile application development under the ten best practices, head here.
Realated: Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms
On Demand Webcast: Protecting Corporate Data in Mobile Apps