The European Commission is this week organising the 5th International Product Safety week. Every two years, policy makers, industry, consumer organisations and many others from across the world gather to discuss how to cooperate in order to reinforce product safety. The aim of the International Product Safety Week is to promote the safety of consumer products and international cooperation.
European Commission Press release regarding its fifth International Product Safety Week is available in 21 languages.
ENISA supports International Product Safety Week through a number of studies and several reports published that support the development of safer consumer products in areas such as secure smartphone development, app-store security and secure software engineering. Examples include:
Smartphone Secure Development Guidelines
In its Smartphone Secure Development Guidelines, ENISA advocates in favour of a baseline set of ‘five lines of defence ‘against malware, which are: app review, reputation, kill-switches, device security and jails
As a first step towards addressing the problem of software vulnerabilities ENISA provides a comprehensive list of different, already existing Secure Software Engineering Initiatives, . This list include initiatives in the EU, as well as some major US and global SSE initiatives, focused on finding and preventing software vulnerabilities.
Ten critical areas when creating apps
Written for smartphone application developers, the ENISA Smartphone Secure Development Guidelines lists ten critical areas to consider when creating apps.
- Identify and protect sensitive data on the mobile device
- Handle password credentials securely on the device
- Ensure sensitive data is protected in transit
- Implement user authentication and authorization and session management correctly
- Keep the backend APIs (services) and the platform (server) secure
- Secure data integration with third party services and applications
- Pay specific attention to the collection and storage of consent for the collection and use of user’s data
- Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls, etc...)
- Ensure secure distribution/provisioning of mobile applications
- Carefully check any runtime interpretation of code for errors