CSA Safe Standard App User Guide

June 16, 2024
CSA

Safe Standard App

Product Information

Specifications

  • Product Name: CSA’s Safe App Standard
  • Version: 1.0
  • Release Date: January 10th, 2024

About the Standard

The CSA’s Safe App Standard is a set of guidelines and best
practices for implementing authentication security controls in
mobile applications. It aims to ensure secure authentication
mechanisms and protect sensitive data from unauthorized access. The
standard is developed in consultation with various organizations
and experts in the field of cybersecurity.

Purpose, Scope, and Intended Audience

The purpose of the CSA’s Safe App Standard is to provide
developers with recommendations and best practices for implementing
secure authentication controls in mobile applications. The standard
is applicable to developers and organizations involved in the
development of mobile applications that require authentication. It
is designed to enhance the overall security of the authentication
process and protect user privacy.

Notice and Developer Guidance

The CSA’s Safe App Standard provides guidance to developers on
implementing authentication security controls. It emphasizes the
importance of following industry best practices and ensuring the
secure implementation of authentication mechanisms. Developers
should refer to the standard for detailed guidance on implementing
the recommended security controls.

Document Definitions and Normative References

The CSA’s Safe App Standard includes document definitions and
normative references that provide clarity on the terminology used
and refer to other relevant industry standards and guidelines.
Developers should refer to these definitions and references for a
better understanding of the standard.

Product Usage Instructions

Authentication

Authentication is an essential component of most mobile
applications. It verifies the identity of users, clients,
applications, and devices before granting access to specific
resources or allowing certain actions. The CSA’s Safe App Standard
provides recommendations and best practices for implementing secure
authentication controls.

Security Controls

The CSA’s Safe App Standard includes the following
authentication security controls:

ID Control
AUTHN-BP01 The app uses Multi-Factor Authentication (MFA) to authenticate

high-risk transactions.
AUTHN-BP02| Control description
AUTHN-BP03| Control description
AUTHN-BP04| Control description
AUTHN-BP05| Control description
AUTHN-BP06| Control description

AUTHN-BP01 – Multi-Factor Authentication (MFA)

In a traditional single-factor authentication system, users
typically only need to input Something-You-Know (such as usernames
and passwords). However, MFA adds layers of identity verification
by requiring additional factors like Something-You-Have and
Something-You-Are. This makes it more challenging for malicious
actors to compromise accounts and enhances the overall security of
the authentication process.

Implementation Guidance

Developers should implement Step-up MFA, which requires an
additional authentication level for higher-risk transactions. The
CSA’s Safe App Standard prioritizes the following MFA
combinations:

  1. Something-You-Know
  2. Something-You-Have
  3. Something-You-Are

Frequently Asked Questions (FAQ)

Q: What is the purpose of the CSA’s Safe App Standard?

A: The purpose of the CSA’s Safe App Standard is to provide
developers with recommendations and best practices for implementing
secure authentication controls in mobile applications.

Q: Who is the intended audience for the CSA’s Safe App

Standard?

A: The CSA’s Safe App Standard is intended for developers and
organizations involved in the development of mobile applications
that require authentication.

Q: What are the benefits of implementing Multi-Factor

Authentication (MFA)?

A: Implementing MFA adds layers of identity verification, making
it more challenging for malicious actors to compromise accounts and
enhancing the overall security of the authentication process.

1

CSA’s Safe App Standard Version 1.0 Released January 10th 2024
2

In Consultation With:
The Association of Banks Singapore, Standing Committee on Cyber Committee Deloitte Southeast Asia Risk Advisory Ernst & Young Advisory Pte. Ltd. KPMG in Singapore Lazada Microsoft Singapore PricewaterhouseCoopers Risk Services Pte. Ltd.
Disclaimer:
These organisations were consulted on the Standard for feedback and comments on the security control, description of the security control, and technical implementation guidelines. To the maximum extent permitted under law, CSA, and external consultants shall not be liable for any inaccuracies, errors and/or omissions contained herein nor for any losses or damages of any kind (including any loss of profits, business, goodwill, or reputation, and/or any special, incidental, or consequential damages) in connection with any use or reliance on this Standard. Organisations developing mobile apps, service providers and developers are advised to consider how the Standard may be applied to their specific circumstances obtain their own legal and/or technical advice in relation to the contents and/or implementation of the recommendations in the Standard Organisations developing mobile apps, service providers and developers should exercise professional judgement if and when implementing the recommendations in the Standard, and should also consider if additional measures are necessary in relation to their specific circumstances.
3

Contents
In Consultation With: ……………………………………………………………………………………………………………… 3 Disclaimer: ……………………………………………………………………………………………………………………………. 3 About the Standard………………………………………………………………………………………………………………… 6 Purpose, Scope, and Intended Audience …………………………………………………………………………………… 6 Notice and Developer Guidance ………………………………………………………………………………………………. 7 Document Definitions and Normative References ……………………………………………………………………… 8 1. Authentication ……………………………………………………………………………………………………………… 10
AUTHN-BP01 ……………………………………………………………………………………………………………………. 11 AUTHN-BP01a ………………………………………………………………………………………………………………. 13 AUTHN-BP01b ………………………………………………………………………………………………………………. 14 AUTHN- BP01c……………………………………………………………………………………………………………….. 15
AUTHN-BP02 ……………………………………………………………………………………………………………………. 16 AUTHN-BP03 ……………………………………………………………………………………………………………………. 17
AUTHN-BP03a ………………………………………………………………………………………………………………. 18 AUTHN-BP03b ………………………………………………………………………………………………………………. 19 AUTHN-BP04 ……………………………………………………………………………………………………………………. 20 AUTHN-BP05 ……………………………………………………………………………………………………………………. 21 AUTHN-BP06 ……………………………………………………………………………………………………………………. 22 ………………………………………………………………………………………………………………………………………….. 23 2. Authorisation ……………………………………………………………………………………………………………….. 24 AUTHOR-BP01 ………………………………………………………………………………………………………………….. 25 AUTHOR-BP02 ………………………………………………………………………………………………………………….. 26 AUTHOR-BP03 ………………………………………………………………………………………………………………….. 27 AUTHOR-BP04 ………………………………………………………………………………………………………………….. 28 ………………………………………………………………………………………………………………………………………….. 29 3. Data Storage (Data-at-Rest) ……………………………………………………………………………………………. 30 STORAGE-BP01 …………………………………………………………………………………………………………………. 31 STORAGE-BP02 …………………………………………………………………………………………………………………. 32 STORAGE-BP02a ……………………………………………………………………………………………………………. 33 STORAGE-BP02b ……………………………………………………………………………………………………………. 34 STORAGE-BP03 …………………………………………………………………………………………………………………. 35 ………………………………………………………………………………………………………………………………………….. 36 4. Anti-Tampering & Anti-Reversing……………………………………………………………………………………..37 RESILIENCE-BP01 ………………………………………………………………………………………………………………. 38 RESILIENCE-BP02 ………………………………………………………………………………………………………………. 39
4

RESILIENCE-BP03 ………………………………………………………………………………………………………………. 41 RESILIENCE-BP04 ………………………………………………………………………………………………………………. 42 RESILIENCE-BP05 ………………………………………………………………………………………………………………. 43 RESILIENCE-BP06 ………………………………………………………………………………………………………………. 44 RESILIENCE-BP07 ………………………………………………………………………………………………………………. 45 References…………………………………………………………………………………………………………………………… 46
5

About the Standard
Introduction The Safe App Standard is a recommended standard for mobile applications (apps), developed by the Cyber Security Agency of Singapore (CSA), in consultation with the industry partners from financial institutions, tech organisations, consultancy firms and government agencies. Overview The objective of the Standard is to put forward a recommended baseline of security controls for mobile app developers and providers to follow. This would ensure that all local apps adhere to a similar set of security controls for mobile apps, thereby raising security levels of the apps hosted and created in Singapore.
Purpose, Scope, and Intended Audience
This document was developed to provide recommendations and suggestions to developers to assist them in implementing security functions into their apps. Such recommendations and suggestions are aimed towards assisting developers in mitigating against a broad spectrum of cybersecurity threats and in protecting their apps from the latest mobile scams and mobile malware exploits. The contents herein are non-binding, provided on a non-reliance basis and meant to be informative in nature, and are not intended to exhaustively identify potential cybersecurity threats nor exhaustively specify processes or systems that developers should put in place to address or prevent such threats. Version 1 of Safe App Standard’s guidelines and security controls will focus primarily on providing security guidelines to developers of high-risk apps to counteract the latest mobile malware and scam exploits seen in Singapore’s threat landscape. However, these security controls can also benefit and be implemented by other apps. It is recommended that all developers strive to implement these measures for enhanced mobile app security. Although this Standard has a primary focus area, future iterations will expand to address security best practices and guidelines for the entire mobile app stack.
6

Notice and Developer Guidance
This is a living document that will be subjected to review and revision periodically. Like many other established standards, the Safe App Standard is a living document that will be regularly updated to match the current and evolving threat landscape and new attack vectors. Please refer to CSA’s website to stay updated with the latest version of the Safe App Standard and adapt security measures and controls accordingly. This Standard should be read in conjunction with and does not replace, vary, or supersede any legal, regulatory, or other obligations and duties of app developers and providers, including those under the Cybersecurity Act 2018, and any subsidiary legislation, codes of practice, standards of performance, or written directions issued thereunder. The use of this document and implementation of the recommendations herein also does not exempt or automatically discharge the app developer and provider from any such obligations or duties. The contents of this document are not intended to be an authoritative statement of the law or a substitute for legal or other professional advice. Developer guidance on Safe App Standard security framework For ease of use, developers should take note that Version 1 of the Safe App Standard targets the following critical areas, and the document itself can be split into the following subsections:
· Authentication · Authorisation · Data Storage (Data-at-Rest) · Anti-Tamper & Anti-Reversing These critical areas are included to ensure the standardisation of mobile app security against the most common attack vectors used by malicious actors in our local ecosystem. The Safe App Standard provides a clear and concise set of security controls, guidelines, and best practices for enhancing the security of mobile apps that provide or enable high-risk transactions.
7

Document Definitions and Normative References
Document Definitions The following are some definitions that developers and readers should keep in mind as they utilise this document: Sensitive data ­ User data such as Personal Identifiable Information (PII) and authentication data such as credentials, encryption keys, one-time passwords, biometric data, security tokens, certificates, etc. High-risk transactions are those that involve:
· Changes to financial functions ­ some examples include but are not limited to registration of third-party payee details, increase of fund transfer limit, etc.
· Initiation of financial transactions ­ some examples include but are not limited to high-value funds transactions, high-value funds transfers, online card transactions, direct debit access, money storage functions, and top-ups, etc.
· Changes to the application’s security configurations­ some examples of this include but are not limited to disabling authentication methods, updating digital tokens or credentials, etc.
Security controls ­ Operational or technical measures recommended in this document that should be implemented to manage, monitor, and mitigate potential security vulnerabilities or incidents. These security controls have the following IDs attached to them, e.g., AUTHN-BP01, AUTHOR-BP01, STORAGE-BP01, RESILIENCE-BP01. Normative References The Safe App Standard references industry standards from the Open Web Application Security Project (OWASP), the European Union Agency for Network and Information Security (ENISA) and the Payment Card Industry Data Security Standard (PCI DSS). The list of references is as follows:
· OWASP’s MASVS (Mobile Application Security Verification Standard) · OWASP’s MASTG (Mobile Application Security Testing Guide) · ENISA’s Secure Development Guidelines (SSDG) · PCI DSS’ Mobile Payment Acceptance Security Guidelines for Developers
8

9

1. Authentication

Introduction
Authentication is an essential component of most mobile applications. These applications commonly employ various forms of authentication, including biometrics, PINs, or multi-factor authentication code generators. Ensuring the authentication mechanism is secure and implemented following industry best practices is crucial to validate user identity.
By implementing robust security controls for authentication, developers can ensure that only authenticated users, clients, applications and devices can access specific resources or perform certain actions. Through secure authentication controls, developers can also mitigate the risk of unauthorised data access, maintain the integrity of sensitive data, uphold user privacy and protect the integrity of high-risk transaction functionalities.
The controls in this category aim to recommend authentication security controls that the application should implement to safeguard sensitive data and prevent unauthorised access. It also gives developers relevant best practices to implement these security controls.
Security controls

ID

Control

AUTHN-BP01 AUTHN-BP01a AUTHN-BP01b AUTHN-BP01c AUTHN-BP02 AUTHN-BP03 AUTHN- BP03a AUTHN-BP03b AUTHN-BP04 AUTHN-BP05 AUTHN-BP06

Use Multi-Factor Authentication to authenticate high-risk transactions. Implement Something-You-Know authentication as one of the MFA factors. Implement Something-You-Have authentication as one of the MFA factors. Implement Something-You-Are authentication as one of the MFA factors. Use context-based factors to authenticate. Implement secure session authentication. Implement secure stateful authentication. Implement secure stateless authentication. Implement secure session termination during logout, inactivity, or application closure. Implement brute force protection for authentication. Implement transaction integrity verification mechanism.

10

AUTHN-BP01
Control
The app uses Multi-Factor Authentication (MFA) to authenticate high-risk transactions.
Description
In a traditional single-factor authentication system, users typically only need to input Something-YouKnow1 such as usernames and passwords. However, if this single factor fails or is compromised, the entire authentication process is vulnerable to threats.
MFA is an authentication procedure that adds layers of identity verification, requiring not only Something-You-Know but also Something-You-Have2 and Something-You-Are3. Implementing MFA makes it more challenging for malicious actors to compromise accounts and enhance the overall security of the authentication process.
Implementation guidance
Developers should use Step-up MFA. It is a specific type of MFA where the app incorporates an authentication strategy that requires an additional authentication level, especially when attempting higher-risk transactions.
Developers should prioritise the following MFA combinations in the order of 1, 2, 3, and 4, with option 1 as the most secure choice.

Factors / Option Something-You-Know Something-You-Have
· Software token · Hardware token · SMS OTP Something-You-Are

1

2

3

4

1 Something-You-Know refers to information that the user knows, such as PIN (Personal Identification Number), password, or pattern, etc. 2 Something-You- Have refers to the possession of a physical device, app, or token that generates authentication credentials, which may include time-based One-Time Passwords (OTPs). Examples of such tokens include software tokens, hardware tokens, and SMS OTP. 3 Something-You-Are refers to biometric identifiers, where the user’s unique physical characteristics are used for verification, such as fingerprints, retina scans, facial recognition, or voice recognition.
11

Developers are strongly advised to not rely on SMS and email OTP as a channel for authentication for high-risk transactions. If not able to, it is critical to implement a biometric factor or an additional authentication factor in conjunction with SMS OTP and email OTP. Things to note
· It is strongly recommended to choose off-the-shelf solutions when possible. · Developers should ensure that at least one MFA factor is verified on the client-side, with all
others verified on the server-side. In cases where authentication is verified on the client side, especially for Android, enforce Trusted Execution Environment (TEE) based code. · This security control is referenced in other standards. Please refer to the documentation(s) provided in:
o OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 21.
o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 51, 56. o MAS Technology Risk Management Guidelines (2021), pg. 34, 50. o ENISA Smartphone Secure Development Guidelines (2016), pg. 11.
12

AUTHN-BP01a Control The app implements Something-You-Know authentication as one of the MFA factors. Description Something-You-Know represents a fundamental layer of identity verification involving information known only to the user, such as a PIN (Personal Identification Number), password, pattern, etc. Implementing Something-You-Know as one of the MFA factors ensures a basic level of identity verification by requiring users to provide unique information associated with their accounts. It is a crucial factor in the principle of “Something-You-Know, Something-You-Have, and Something-You-Are,” contributing to a comprehensive and effective multi-layered security strategy. Implementation guidance Developers should adopt the following guidelines in creating strong and secure passwords:
· Ensure a minimum password length of 12 characters or more. · Include a mix of uppercase and lowercase letters, numbers, and special characters limited to
~`! @#$%^&*()_-+=:;,.? Developers should also recognise and avoid common pitfalls in password creation:
· Avoid using guessable words, phrases, or combinations. · Refrain from incorporating personal details. · Steer clear of sequential characters (e.g., “123456”) or repeated characters (e.g., “aaaaa”). Things to note · Developers should enforce credential rotation only on organisational assets or if there is no
MFA implementation on the user end, e.g. changed yearly or as per an appropriate timeframe. · This security control is referenced in other standards. Please refer to the documentation(s)
provided in: o MAS Technology Risk Management Guidelines (2021), pg. 34. o ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
13

AUTHN-BP01b Control The app implements Something-You-Have authentication as one of the MFA factors. Description Something-You-Have requires users to authenticate with a physical device, app, or token that generates authentication credentials, which may include time-based One-Time Passwords (OTPs). Examples of such tokens include software tokens, hardware tokens, and SMS OTP. Implementing Something-You-Have as one of the MFA factors adds complexity to the authentication process by requiring the possession of a tangible element, significantly reducing the likelihood of unauthorised access. It is a crucial factor in the principle of ” Something-You-Know, Something-YouHave, and Something-You-Are,” contributing to a comprehensive and effective multi-layered security strategy. Implementation guidance Developers should use a time-based OTP for software tokens, hardware tokens and SMS OTP. The following guidelines should be followed:
· An OTP should only be valid for not more than 30s. · An OTP that is incorrectly input after 3 attempts should be invalidated, and the user’s session
should be revoked or rejected. Things to note
· This security control is referenced in other standards. Please refer to the documentation(s) provided in: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 56-57. o MAS Technology Risk Management Guidelines (2021), pg. 50, 51. o ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
14

AUTHN-BP01c
Control The app implements Something-You-Are authentication as one of the MFA factors.
Description Something-You-Are requires users to authenticate with biometric identifiers such as fingerprints, retina scans, or facial recognition. Implementing Something-You-Are as one of the MFA factors adds a highly personalised and difficultto-replicate authentication factor. It provides a more robust means of verifying user identity than Something-You-Know and Something-You-Have factors, reducing the risk of unauthorised access. It is a crucial factor in the principle of ” Something-You-Know, Something-You-Have, and Something-YouAre,” contributing to a comprehensive and effective multi- layered security strategy. Implementation guidance Developers should implement server-side biometric authentication using a trusted biometric identification platform like Singpass. However, if it is not feasible, developers should implement client-side biometric authentication through the device’s Trusted Execution Environments (TEEs) mechanisms such as CryptoObject and Android Protected Confirmation for Android or Keychain services for iOS. Things to note
· Developers should limit apps’ functionalities on devices lacking hardware Trusted Executed Environment (TEE) or biometrics. For example, Android devices lacking TEE can be detected using the “isInsideSecureHardware” Android API.
· Developers should invalidate biometric authentication if changes occur in the biometric mechanism, like enrolling a new fingerprint on the device. Both iOS and Android platforms support setting an app crypto key to expire in response to such changes.
· This security control is referenced in other standards. Please refer to the documentation(s) provided in: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 227233, 422-426. o MAS Technology Risk Management Guidelines (2021), pg. 51. o ENISA Smartphone Secure Development Guidelines (2016), pg. 11, 26.
15

AUTHN-BP02
Control The app uses context-based factors to authenticate. Description Context-based factors introduce dynamic elements such as user location and device attributes. While MFA provides a robust layer of security by requiring multiple authentication factors, incorporating context-based factors creates a more comprehensive and adaptive authentication process that can offer additional benefits in addressing the evolving risks of unauthorised access. Implementing context-based factors minimises the reliance on static credentials, making it more challenging for malicious actors to attempt unauthorised access. Implementation guidance Developers should consider the following contextual factors to verify the identity of a user:
· Geolocation: Allow access based on the real-world location of a device using GPS, Wi-Fi, or IP address geolocation.
· Device Type: Allow access based on the characteristics of a device. e.g. screen size can determine if a device is a smartphone or tablet.
Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 56, 58. · ENISA Smartphone Secure Development Guidelines (2016), pg. 11.
16

AUTHN-BP03
Control The app implements secure session authentication. Description Secure session authentication ensures robust session management for both stateful and stateless authentication. Poorly managed sessions, irrespective of whether the app follows stateful4 or stateless5 authentication methods, can lead to security threats such as unauthorised access, session hijacking, or data breaches. Implementing secure session authentication for stateful sessions employs secure session identifiers, encrypted communication and proper timeouts to prevent unauthorised access. For stateless authentication, it ensures that tokens are tamper-resistant, maintaining authentication integrity without relying on server-side storage. Implementation guidance Developers should implement secure session authentication by adopting the following best practices for stateful (AUTHN-BP03a) and stateless (AUTHN-BP03b) authentication methods for sessions. Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 51-55. · MAS Technology Risk Management Guidelines (2021), pg. 51. · ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
4 Stateful authentication refers to the management of session states on the server side, typically requiring the use of session identifiers. 5 Stateless authentication refers to the management of sessions without storing user- related information on the server side.
17

AUTHN-BP03a Control The app implements secure stateful authentication. Description Secure stateful authentication involves protecting and maintaining persistent sessions. While stateful authentication provides a seamless user experience through persistent user sessions, it can be vulnerable to various security threats, such as malicious actors attempting to steal session identifiers. Implementing secure stateful authentication protects user accounts from unauthorised access and potential vulnerabilities associated with session management without compromising the balance between usability and security. Implementation guidance Developers should identify server-side endpoints that exposes sensitive information or critical functionalities. Developers should also adopt the following stateful session authentication best practices:
· Reject requests with missing or invalid session IDs or tokens. · Generate Session IDs randomly on the server side without appending them to URLs. · Enhance Session IDs security with proper length and entropy, making guessing difficult. · Exchange Session IDs only over secure HTTPS connections. · Avoid storing session IDs in persistent storage. · Verify sessions IDs for user access to privileged app elements. · Terminate sessions on the server side, deleting session information upon timeout or logout. Things to note If in doubt, consider using trusted authentication platforms and protocols. This security control is referenced in other standards. Please refer to the documentation(s) provided in: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 52.
18

AUTHN-BP03b Control The app implements secure stateless authentication. Description Secure stateless authentication involves secure token practices for effective and scalable authentication. While stateless authentication provides benefits, it can be more vulnerable to security threats such as user impersonation if tokens are not securely generated, transmitted and stored. Implementing secure stateless authentication ensures that each authentication token is securely handled while reaping the benefits of efficiency and scalability, reducing the risk of unauthorised access. Implementation guidance Developers should adopt the following stateless session authentication best practices:
· Generate tokens on the server side without appending them to URLs. · Enhance tokens security with proper length and entropy, making guessing difficult. · Exchange tokens only over secure HTTPS connections. · Verify that no sensitive data, such as PII, is embedded in tokens. · Avoid storing tokens in persistent storage. · Verify tokens for user access to privileged app elements. · Terminate tokens on the server side, deleting tokens information upon timeout or logout. · Cryptographically sign tokens using a secure algorithm, avoiding the use of null algorithms. Things to note · If in doubt, consider using trusted authentication platforms and protocols. · This security control is referenced in other standards. Please refer to the documentation(s)
provided in: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 52-53.
19

AUTHN-BP04
Control The app implements secure session termination during logout, inactivity or app closure. Description Secure session termination ensures the effective closure of user sessions. In scenarios such as logout, inactivity, or app closure scenarios, there is a potential for malicious actors to exploit any lingering access points if sessions are not appropriately managed. Implementing secure session termination during logout, inactivity or app closure can significantly reduce the risk of unauthorised access by automatically terminating user sessions and safeguarding user information from being accessed by unauthorised parties. Implementation guidance Developers should reauthenticate users after logging out, app inactivity, idleness, backgrounding, absolute session timeouts, or abrupt/force closure. Developers should also generate new session identifiers on the server whenever users move up to a new authentication level to prevent session fixation. Things to note
· Developers should ensure that session termination includes clearing or deauthorising all locally stored tokens or session identifiers.
· Developers should determine the idle timeout value based on the risk and nature of financial services.
· This security control is referenced in other standards. Please refer to the documentation(s) provided in: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 55-56, 58. o MAS Technology Risk Management Guidelines (2021), pg. 51. o ENISA Smartphone Secure Development Guidelines (2016), pg. 11.
20

AUTHN-BP05
Control The app implements brute force protection for authentication. Description Brute force attacks involve automated and systematic attempts to guess user credentials, for example, by trying various combinations of usernames and passwords to gain unauthorised access. Brute force protection restricts the number of login attempts within a specified period. Implementing brute force protection for authentication can significantly mitigate the risk of unauthorised access, protect user accounts and maintain the integrity of the authentication process. Implementation guidance Developers should implement brute force mechanisms through the following best practices:
· Implement anti-automation checks. · Apply rate limiting for login attempts. · Incorporate progressive incremental time delays (e.g. 30 seconds, 1 minute, 2 minutes, 5
minutes) for login attempts. · Enforce account lockouts. Things to note · Developers should note that all MFA mechanisms are vulnerable to brute force. · Developers should convey the reasons for the account lockout and provide accessible means
for users to authenticate themselves and remove the lockout. Examples include calling a helpline or utilising biometric verification. · This security control is referenced in other standards. Please refer to the documentation(s) provided in:
o ENISA Smartphone Secure Development Guidelines (2016), pg. 10, 16.
21

AUTHN-BP06
Control The app implements transaction integrity verification mechanism. Description While authentication ensures the user’s identity, it does not eliminate the possibility of fraudulent activities during the transaction process. Transaction integrity verification mechanisms are auxiliary security functions that give users the time and tools to react to potential frauds. Implementing a transaction integrity verification mechanism ensures that each transaction undergoes thorough scrutiny to confirm its accuracy and authenticity. Implementation guidance Developers can implement the following suggested best practices:
· Initiate a transaction verification/confirmation call. · Provide a real-time transaction history. · Implement a cooldown period of 12 hours to 24 hours. · Disable overseas transactions by default; enable only through MFA. Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 57-58.
22

23

2. Authorisation

Introduction
Authorisation security operates in conjunction with authentication security. Authorisation security in mobile apps is a crucial line of defence as it delineates who can access what resources within an app. It creates systematic controls and validates user access rights within an app.
Developers can ensure that only authorised users, clients, apps, and devices can access specific resources or perform certain actions by implementing strong authorisation controls and authorisation setups. Through authorisation controls, developers can also mitigate the risk of unauthorised data access, maintain the integrity of sensitive data, uphold user privacy and protect the integrity of highrisk transaction functionalities. Although the enforcement of these mechanisms must be on the remote endpoint, it is equally important for the client-side app to follow relevant best practices to ensure the secure use of the involved authorisation protocols.
The controls in this category provides authorisation security controls that the app should implement to safeguard sensitive data and prevent unauthorised access. It also gives developers relevant best practices on how to implement these security controls.
Security controls

ID

Control

AUTHOR-BP01 Implement server-side authorisation.

AUTHOR-BP02 Implement client-side authorisation via device binding.

AUTHOR-BP03 Notify users of all required permissions before they start using the app.

AUTHOR-BP04

Notify users for all high-risk transactions that has been authorised and completed.

24

AUTHOR-BP01
Control The app implements server-side authorisation. Description Server-side authorisation refers to validating and granting access permissions to users or apps by a server or an authorisation server. This ensures that access control decisions and permissions are managed and enforced on the server-side rather than the client. By implementing server-side authorisation, developers reduce opportunities for malicious attackers to tamper or bypass security measures on the app to gain unauthorised access to sensitive data (i.e. PIIs and Authentication data). Implementation guidance Developers should implement server-side authorisation after successful authentication, before granting access permissions. Developers should ensure that users are granted access based on the following:
· Assigned role with permissions: Ensure that users can only perform tasks relevant to their responsibilities.
· Contextual factors: Dynamic access scenarios such as Time of Access and Behavioural Analysis.
Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 50-55, 58. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 10. · ENISA Smartphone Secure Development Guidelines (2016), pg. 10-11.
25

AUTHOR-BP02
Control The app implements client-side authorisation via device binding.
Description
Client-side authorisation is the process of managing access permissions within a mobile app. This is risky as relying on the client-side can expose apps to vulnerabilities such as unauthorised access and potential fraud.
If an app’s business functions (e.g., instantiating software tokens) require client-side authorisations, device binding (a security practice that associates authorisations to access privileges on a particular device) is recommended. By implementing device binding, apps can verify device identity and establish trust. This reduces the risks associated with unauthorised access and maintains a secure, trusted path between devices, apps, and servers.
Implementation guidance
Developers should establish binding between apps and the device when a user’s identity is used for the first time on an unregistered mobile device.
Developers should also verify that apps:
· Check for modifications to the device since the last runtime. · Check for modifications to the device identity markers. · Check that the device running the app is in a secure state (e.g. no jailbreaking or rooting). The above are just some examples of best-practice techniques used by the industry. As the ecosystem of mobile devices evolves, these techniques may become out of date. As such, developers should keep abreast of the latest industry best practices to verify device bindings. Things to note
To verify device on Android devices, developers can:
· Obtain unique identifiers like IMEI or Android ID. · Retrieve build information. · Leverage native OS API features, such as Google’s SafetyNet.
To verify device on iOS devices, developers can:
· Leverage native OS services, such as Apple’s device ID via UIDevice.
This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 316-317, 516. · MAS Technology Risk Management Guidelines (2021), pg. 51, 56.
26

AUTHOR-BP03
Control The app notifies users of all required permissions before they start using the app. Description Required permissions are specific rights and capabilities that the app requests from the mobile device. These permissions define what resources or functionalities the app can access on users’ devices. Some examples include, but are not limited to, camera, microphone, location, etc. By implementing proper notifications that inform the users of what permissions are being requested, developers can prevent users from unknowingly granting excessive permissions, which may allow malicious actors to exploit vulnerabilities and steal sensitive data (i.e. PIIs and Authentication Data). Such notifications will also allow users to make informed decisions about the apps they install. Implementation guidance Developers should use In-App (In- App) alerts to request users for access permission. Developers should also ensure that Notifications/Alerts do not display sensitive data. Things to note Developers should only request essential permissions for the app’s functionality. This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 56, 58. · ENISA Smartphone Secure Development Guidelines (2016), pg. 8, 18, 28. · Apple Developer Guide on Privacy, https://developer.apple.com/design /human-interface-
guidelines/privacy (Jan 2024). · Android Developer Guide on Privacy, https://developer.android.com/quality/privacy-and-
security (Jan 2024).
27

AUTHOR-BP04
Control The app notifies users for all high-risk transactions that has been authorised and completed.
Description If an app has high-risk transaction functionalities, users should be notified immediately when a transaction has been authorised and completed. By implementing this control, developers can ensure that users are made aware immediately when high-risk transactions have been authorised and completed so that they may be able to identify potential fraudulent transactions as soon as possible.
Implementation guidance Developers should adopt the following methods to alert user:
· In-Application (In-App) alerts. · Email notifications. · Short Message Service (SMS) notifications. Developers should also ensure that Notifications/Alerts do not display sensitive data.
The above are just some examples of best-practice notification techniques used by the industry. As the ecosystem of mobile devices evolves, these techniques may become out of date. As such, developers should keep abreast of the latest industry best practices to notify users of high-risk transactions authorised and completed.
Things to note Developers should request only essential permissions for the app’s functionality.
This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· MAS Technology Risk Management Guidelines (2021), pg. 52. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 10. · ENISA Smartphone Secure Development Guidelines (2016), pg. 8. · Apple Developer Guide on Privacy, https://developer.apple.com/design/human-interface-
guidelines/privacy (Jan 2024). · Android Developer Guide on Privacy, https://developer.android.com/quality/privacy-and-
security (Jan 2024).
28

29

3. Data Storage (Data-at-Rest)

Introduction
Data Storage security for data-at-rest pertains to safeguarding the integrity and confidentiality of sensitive data (i.e. PIIs and Authentication data) stored locally on the client-side device and app serverside when it is not actively being used or transmitted. This encompasses the best practices, protective measures and encryption techniques employed to secure data stored in databases, files, caches, memory, and Trusted Execution Environment (TEE) on mobile devices and similar areas in app servers.
Developers can ensure that user data is preserved and protected by implementing strong security controls for storing data at rest. Proper data- at-rest controls also ensure that the app can mitigate the risks of unauthorised access, device compromise, potential data breaches, and data leaks and fortify the app defences.
The following controls ensures that any sensitive data intentionally stored by the app is adequately protected, regardless of the target location. It also covers unintentional leaks due to improper use of APIs or system capabilities.
Security controls

ID

Control

STORAGE-BP01 Store sensitive data that is only necessary for transactions.

STORAGE-BP02 Implement secure storage of sensitive data.

STORAGE-BP02a Store sensitive data securely on server-side.

STORAGE-BP02b

Store sensitive data securely on client-side in a Trusted Execution Environment (TEE).

STORAGE-BP03 Delete sensitive data when no longer necessary.

30

STORAGE-BP01
Control The app stores sensitive data that is only necessary for transactions. Description Sensitive data is defined as user data (PIIs) and authentication data (e.g., credentials, encryption keys, etc.) Developers should only store sensitive data that is necessary for app business functions. Accumulating unnecessary information increases the impact of potential security breaches, making an app an attractive target for malicious actors. By implementing this security control, developers can ensure that exposure is limited to the data required for specific business functions, minimising the impact in the event of unauthorised access or data breaches. Implementation guidance Developers should classify data being used by the app based on an organisation’s sensitivity levels and based on legal law requirements. Developers should adopt the following guidelines to secure data that are classified as sensitive:
1. Implement a secure storage solution based on its sensitivity on the client-side/server-side. 2. Apply data protection measures (e.g. tokenising, hashing with salt, encrypting) 3. Delete sensitive data when no longer necessary. Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 190, 398. · MAS Technology Risk Management Guidelines (2021), pg. 9-10, 36, 38. · ENISA Smartphone Secure Development Guidelines (2016), pg. 6.
31

STORAGE-BP02
Control The app implements secure storage of sensitive data. Description Secure storage for mobile apps refers to implementing techniques and practices to protect sensitive data stored on mobile devices and app servers from unauthorised access, theft or tampering. This involves best practices such as encryption, hashing, tokenisation, and proper access controls. By implementing secure storage, developers can mitigate against unauthorised access, device compromise, potential data breaches and data leaks. Implementation guidance Developers should implement a secure storage solution that commensurate with the sensitivity of data. Developers should also prioritise the following order for secure storage solution (from the most sensitive data to the least sensitive data):
1. Server-side (all sensitive data should be stored on the server-side). 2. Client-side within the Trusted Execution Environment (in the case where server-side is not
possible, store all sensitive data in the client-side TEE). Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 17-18. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 190-203, 398-
406. · ENISA Smartphone Secure Development Guidelines (2016), pg. 06-07.
32

STORAGE-BP02a
Control
The app stores sensitive data securely on server-side.
Description
Storing sensitive data on the server-side refers to storing data on remote app servers or databases. Such an approach creates a better environment to protect data from unauthorised access or breaches, enabling more secured access control, options to implement better security measures such as more complex encryptions and provisions of quicker security updates.
By implementing server-side storage of sensitive data, developers can mitigate against the inherent risks of client-side data storage, as client-side storage is inherently more susceptible to data storage exploitation techniques commonly used by malicious actors in mobile scams.
Implementation guidance
Developers should apply at least 1 of the following data protection measures:
1. For passwords only, developers can use hashing with salt6. Instead of storing actual passwords, unique salts are generated and combined with passwords, creating salted hashes.
2. Developers can encrypt7 sensitive data with encryption standards such as AES-128. 3. Developers can implement tokenisation8 with self-managed tokenisation or a tokenisation
service, replacing sensitive data with tokens where possible. In addition, developers should ensure tokenisation is of sufficient length and complexity (backed by secure cryptography) based on the data sensitivity and business needs.
The above are just some examples of best practices used by the industry. As the ecosystem of mobile devices evolves, these best practices may become out of date. As such, developers should abreast of the latest industry best practices to store sensitive data securely on the server-side.
Things to note
This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 19-20. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 71-77, 219-227,
416-421. · MAS Technology Risk Management Guidelines (2021), pg. 30, 36-37, 39. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 9. · ENISA Smartphone Secure Development Guidelines (2016), pg. 6-9.
6 Hashing with salt is used to add an extra layer of security by making it computationally intensive for attackers to decipher original sensitive data. In the context of password storage or key derivation, developers should utilise one-way key derivation functions or slow hash algorithms, such as PBKDF2, bcrypt, or scrypt. 7 Encryption is used to transform data into an unreadable format, ensuring that even if accessed without authorisation, sensitive data remains confidential. 8 Tokenisation is used to substitute sensitive data with tokens to minimise the risk of sensitive data exposure.
33

STORAGE-BP02b
Control
The app stores sensitive data securely on client-side in a Trusted Execution Environment (TEE).
Description
The Trusted Execution Environment (TEE) is an isolated area within a mobile device’s hardware or processor architecture that provides a highly secure environment for storing sensitive data and executing sensitive or critical operations. It is designed to protect sensitive data, cryptographic keys and critical processes from unauthorised access or tampering. If an app’s business functions require storage of sensitive data on the client-side, it is recommended to store it in the device’s TEE.
By implementing proper storage of sensitive data in the client-side TEE, developers can mitigate against threats originating from within a compromised device and from external malicious actors. Such storage can also mitigate against unauthorised access to user’s sensitive data on an app and prevent any encryption keys from being stolen.
Implementation guidance
Developers should store sensitive data securely on client-side in a Trusted Execution Environment (TEE) such as Android’s ARM’s TrustZone, Apple’s Secure Enclave.
Developers should also store minimally the following list of sensitive data in a TEE:
· Biometric identifiers. · Authentication tokens. · Cryptographic keys in a secure key management system such as Android Keystore, iOS
Keychain.
The above are just some examples of what sensitive data developers should store in the TEE. As the ecosystem of mobile devices evolves, developers should exercise the freedom to store any data they deem necessary to be stored in the TEE.
Things to note
For devices without hardware TEEs, developers may consider the usage of virtualised TEEs.
Alternatively, developers can consider disabling the app or disabling high- risk transaction functions of the app, as the app is deemed as insecure for high-risk transactions.
This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 19-20. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 75, 93, 194-200. · MAS Technology Risk Management Guidelines (2021), pg. 51. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 07-09, 14. · ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
34

STORAGE-BP03
Control
The app deletes sensitive data when no longer necessary.
Description
Deleting sensitive data refers to the process of permanently removing or erasing confidential, private or sensitive data from storage devices, servers or databases. This process ensures that sensitive data is irrecoverably removed and cannot be accessed, retrieved, accidentally exposed, or reconstructed by unauthorised individuals or through data recovery methods.
By implementing this process, developers can minimise the window in which attackers can exploit vulnerabilities to steal sensitive data.
Implementation guidance
Developers should use the following persistent storage security techniques:
· Clear stored cookies on app termination or use in-memory cookie storage. · Remove all sensitive data on app uninstallation. · Manually remove all database files that contain sensitive data (e.g., iOS WebView caches) from
the file system when related business functions cease to exist.
The above are just some examples of best practices used by the industry. As the ecosystem of mobile devices evolves, these techniques may become out of date. As such, developers should abreast of the latest industry best practices to delete sensitive data when no longer necessary.
Things to note
Developers should be mindful of adhering to widely accepted standards and relevant data retention law including but not limited to:
· Personal Data Protection Act (PDPA) · General Data Protection Regulation (GDPR) · The Payment Card Industry Data Security Standard (PCI DSS)
This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 199, 206-214, 403-414.
· MAS Technology Risk Management Guidelines (2021), pg. 39. · ENISA Smartphone Secure Development Guidelines (2016), pg. 07, 09-10.
35

36

4. Anti-Tampering & Anti-Reversing

Introduction
Anti-Tampering and Anti-Reversing security controls are additional measures that developers can implement to counteract attacks attempting to tamper or reverse engineer apps. By implementing both features, developers add multiple layers of defences to apps, making it more difficult for malicious actors to successfully tamper or reverse engineer apps, which could result in:
· The theft or compromise of valuable business assets such as proprietary algorithms, trade secrets, or sensitive data,
· Financial losses of users who utilise the app for high-risk transactions, · Financial losses of organisations due to loss of revenue or legal action, · Damage on brand reputation due to negative publicity or customer dissatisfaction

The controls ensures that apps run on trusted platforms, prevent tampering at runtime and ensure the integrity of the apps’ functionalities. In addition, the controls impede comprehension by making it difficult for attackers to figure out how the apps operate.
Security controls

ID

Control

RESILIENCE-BP01 Sign with certificates from official app stores.

RESILIENCE-BP02 Implement jailbreak/root detection. RESILIENCE-BP03 Implement emulator detection.

RESILIENCE-BP04 Implement anti-malware detection.

RESILIENCE-BP05 Implement anti-hooking mechanisms.

RESILIENCE-BP06 Implement overlay, remote viewing, and screenshot countermeasures.

RESILIENCE-BP07

Implement anti-keystroke capturing or anti-keylogger against third-party virtual keyboards.

37

RESILIENCE-BP01
Control
The app is code signed with certificates from official app stores.
Description
Apps are often spoofed by malicious actors and distributed via less strictly regulated channels. Signing an app with certificates provided by official app stores assures the mobile OS and users that the mobile app is from a verified source.
Implementing code signing helps operating systems determine whether to allow software to run or install based on the signatures or certificates used to sign the code. This helps prevent the installation and execution of potentially harmful apps. In addition, code signing also assists with integrity verification, as signatures will change if the app has been tampered with.
Implementation guidance
Developers should code sign their apps with certificates. This section provides examples of how to do this via the two most popular platforms iOS and Android.
For Apple’s App Store, it can be done by enrolling in the Apple Developer Programme and creating a certificate signing request in the developer portal. Developers can register for the Apple Developer Programme and can reference the following developer guide for code signing under things to note.
For Android, there are variety of App stores. For Google’s Play Store, it can be done by configuring Play App Signing which is requirement for distribution through Google’s Play Store. For more information on how to do so developers can visit the Android developer guide under things to note.
For other official stores, refer to their respective developer guidelines on app source code signing. Things to note This security control is also a requirement for publishing apps on official app stores, as such, the recommendation is for your app to be code signed with certificates from official app stores. This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· Apple Developer Programme Guide for Code Signing, https://developer.apple.com/support/code-signing (Jan 2024).
· Android Developer Guide on Privacy, https://developer.android.com/quality /privacy-andsecurity (Jan 2024).
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 325-326, 522523.
· ENISA Smartphone Secure Development Guidelines (2016), pg. 21.
38

RESILIENCE-BP02
Control
The app implements jailbreak or root detection.
Description
Rooted and jailbroken devices are generally considered insecure. Rooted or jailbroken devices allow users to gain elevated privileges, enabling easier circumvention of security and OS limitations. Such elevated privileges can be unsafe for apps as these privileges allow malicious actors to potentially exploit vulnerabilities, steal credentials, take over user devices and execute fraudulent app transactions.
By implementing jailbreak or root detection, developers can prevent the abovementioned exploits from happening, protect apps’ intellectual property, ensure the stability of apps and prevent the bypass of in-app systems.
Implementation guidance
Developers should implement jailbreak or root detection by implementing the following checks in their app for Android devices:
1. Check for superuser or SU binary. 2. Detect root file system changes. 3. Look for rooted apps. 4. Check for custom recovery. 5. Check for unsafe API usage.
Developers should implement jailbreak or root detection by implementing the following checks in their app for iOS devices:
1. Detect the use of restricted APIs. 2. Look for jailbreak tweaks like mods. 3. Look for unofficial app stores, e.g., check for Cydia App Store signature. 4. Look for kernel modifications. 5. Check for integrity of the critical file systems. 6. Use 3rd-party libraries designed to detect device tampering.
The above are just some examples of best-practice checks used by the industry. As the ecosystem of mobile devices evolves, these checks may become out of date. As such, developers should abreast of the latest industry best practices to implement jailbreak or root detection.
39

Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 319-320, 5069,
518-519. · MAS Technology Risk Management Guidelines (2021), pg. 50. · ENISA Smartphone Secure Development Guidelines (2016), pg. 11, 23.
9 https://github.com/crazykid95/Backup-Mobile-Security-Report/blob/master /Jailbreak-Root-DetectionEvasion-Study-on-iOS-and-Android.pdf
40

RESILIENCE-BP03
Control
The app implements emulator detection.
Description
Emulators are software used to test mobile apps by allowing a user to test a mobile app on a variety of mimicked mobile versions and devices. Although useful for testing, apps should not allow themselves to be mounted on emulators outside of the development environment.
By implementing emulation detection, developers can prevent malicious actors from running dynamic analysis, rooting, debugging, instrumentation, hooking, and fuzz testing on an emulated device they can control. In doing so, developers can prevent malicious actors from discovering vulnerabilities within the app for exploitation.
Implementation guidance
Developers should implement the following detection strategy to identify features for commonly used emulation solutions. Some recommendations of things to check for are:
· Check battery usage. · Check timestamps and clocks. · Check multi-touch behaviours. · Check memory and performance analysis. · Perform network checks. · Check whether it is hardware-based. · Check what is the OS based on. · Check for device fingerprints. · Check build configurations. · Check for emulator services and apps.
The above are just some examples of best-practice checks used by the industry. As the ecosystem of mobile devices evolves, these checks may become out of date. As such, developers should abreast of the latest industry best practices to implement emulator detection. Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31-32. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 325, 521.
41

RESILIENCE-BP04
Control
The app implements anti-malware detection.
Description
Malware apps are increasingly used by malicious actors as a vector to compromise users’ mobile devices as such devices provide users with the convenience needed to perform day-to-day transactions. Malware apps primarily utilise sideloading features as a channel to get users to install malware on their devices.
By implementing anti-malware detection capabilities on an app at runtime, developers can prevent users from being exploited via malware exploiting app vulnerabilities and OS vulnerabilities, stealing credentials, taking over the device, and executing fraudulent transactions.
Implementation guidance
Developers should implement anti-malware detection capabilities in their apps. This can be done in a variety of ways, but are not limited to:
· Incorporate a Runtime-Application-Self-Protection (RASP) Software Development Kit (SDK) into their apps.
· Utilise RASP SDKs to check and detect for malware apps at runtime. · Check for and prevent overlays. · Prevent clickjacking. · Prevent app memory hooking.
The above are just some examples of best-practice checks used by the industry. As the ecosystem of mobile devices evolves, these checks may become out of date. As such, developers should abreast of the latest industry best practices to implement anti-malware detection.
Things to note
If the any form of maliciousness is detected, developers should disable the app and provide the user with the necessary information on why the app has been disabled and urge the user to uninstall the malicious app(s) on their device.
Alternatively, developers should warn the user, and disable high-risk functions on the app until the user remediates the malicious app(s). This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · MAS Technology Risk Management Guidelines (2021), pg. 40, 49. · ENISA Smartphone Secure Development Guidelines (2016), pg. 23.
42

RESILIENCE-BP05
Control
The app implements anti-hooking mechanisms.
Description
Hooking refers to a technique used by attackers to intercept or modify the behaviour of a mobile app at runtime. This involves inserting or hooking into the execution flow of an app to either monitor its activities, alter its behaviour, inject malicious code or modify existing code functions to exploit vulnerabilities.
By implementing anti-hooking mechanisms on apps, developers can prevent the above attacks from happening and prevent unauthorised access, protect high- risk transaction operations, detect and prevent tampering and modification attempts, preserve intellectual property and maintain app reliability.
Implementation guidance
Developers should implement the following example mechanisms to mitigate against hooking attacks:
· Implement protections to block code injections. · Implement protections to prevent method hooking by preventing modifications to the app
source code (both on the client and server). · Implement protections to prevent the execution of modified codes in your app. · Implement protections to prevent memory access and memory manipulation for your app. · Implement tamper resistant algorithms or anti-tampering SDKs (commonly known as
Runtime-Application-Self-Protection SDKs). · Check for insecure parameters such as obsolete APIs and parameters.
The above are just some examples of best-practice checks used by the industry. As the ecosystem of mobile devices evolves, these checks may become out of date. As such, developers should abreast of the latest industry best practices to implement anti-hooking mechanisms. Things to note This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 135-140, 189,
318-319, 339-340, 390, 520. · MAS Technology Risk Management Guidelines (2021), pg. 56. · ENISA Smartphone Secure Development Guidelines (2016), pg. 23, 26.
43

RESILIENCE-BP06
Control
The app implements overlay, remote viewing, and screenshot countermeasures.
Description
Sensitive information can be captured or recorded without the user’s explicit consent when an app has screen recording, screenshot or overlay functionalities. For example:
· Overlay attacks deceive users by creating a fake layer mimicking trusted apps, aiming to steal sensitive data.
· Remote viewing attacks involve unauthorised access to a device’s screen, allowing attackers to harvest sensitive data remotely.
· Screenshot attacks occur when malicious actors capture a device’s screen without user consent, extracting sensitive data.
Implementing overlay, remote viewing and screenshot countermeasures can ensure that sensitive information remains secure, user privacy is upheld and sensitive data is protected against the inadvertent loss or misuse.
Implementation guidance
Developers should implement anti-tampering and anti-malware checks via RASP SDKs to prevent malicious apps from utilising overlays, and remote viewing exploits.
For screenshots, developers can utilise the FLAG_SECURE flag for Android apps and similar flags for iOS to block out all screenshot capabilities when using the app. However, suppose business functions require screenshot capabilities (e.g. Taking a screenshot of a completed PayNow transaction). In that case, the recommendation is to disable screenshot capabilities for screens or pages that include sensitive data (PII and Authentication Data).
Developers can also consider masking input with sensitive data and sensor screens when app is backgrounded.
Things to note
Some examples of where to disable these screenshot capabilities include but are not limited to: Login pages, Multi-Factor Authentication pages, Security Credentials, and PII changing pages, etc.
This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 166-168, 257,
259, 265-267, 366, 480-481. · MAS Technology Risk Management Guidelines (2021), pg. 56. · ENISA Smartphone Secure Development Guidelines (2016), pg. 8.
44

RESILIENCE-BP07
Control
The app implements anti-keystroke capturing or anti-keylogger against third- party virtual keyboards.
Description
Keystroke capturing and keylogging are methods malicious actors utilise to monitor, log, and record the keys pressed on a keyboard without the user’s knowledge and consent. This allows logging and capturing of potentially sensitive data (i.e. PII and authentication Data).
By implementing keystroke and keylogging countermeasures, developers can prevent the unnecessary loss of sensitive data. More specifically, this control is targeting Android devices, as the native keyboard of Android devices can be changed. Such changes can expose apps to security vulnerabilities as the trusted path between keyboard inputs and apps have untrusted parties between them.
Implementation guidance
Developers should not allow insecure third-party virtual keyboards to be used for inputs that may contain sensitive data. Secure in-app custom keyboard is preferred for such inputs.
By implementing an in-app keyboard, developers can control where the logging data goes and mitigate against the risk of insecure third-party virtual keyboards acting as keyloggers to capture keystrokes.
Along with using in-app keyboards, developers should implement the following suggestions for inputs that require sensitive data (i.e. PII and Authentication Data): Disable autocorrect, autofill, autosuggestion, cut, copy, and paste for functions/or apps that contain sensitive data.
Things to note Some examples of functions that should utilize in-app keyboards include but are not limited to logging in, entering an OTP, or other verification factors, etc.
This security control and best practice primarily targets Android devices. The main goal is to ensure the security of the trusted path. Since Android does not provide a method by which to enforce the usage of native/trusted keyboards, developers should implement an in-app keyboard to ensure insecure third-party virtual keyboards do not log information.
Implementing a secure in-app keyboard does not mitigate the risks associated with a compromised device.
This security control is referenced in other standards. Please refer to the documentation(s) provided in:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), pg. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 203, 214-215,
257, 259, 400, 414-415. · MAS Technology Risk Management Guidelines (2021), pg. 56. · ENISA Smartphone Secure Development Guidelines (2016), pg. 08, 23.
45

References

S/N 1
2
3
4
5
6 7

Document OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 MAS Technology Risk Management Guidelines, PCI Mobile Payment Acceptance Security Guidelines v2.0.0 ENISA Smartphone Secure Development Guidelines Android Developers Apple Developer Documentation

Source OWASP
OWASP
MAS
PCI-DSS
ENISA
Android Apple

Dated 2023
2023
2021
2017
2016
2024 2024

46

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Related Manuals