CSA Publishes Recommended Standard for More Secure Transactions Made Via Mobile Applications

1.      The Cyber Security Agency of Singapore (CSA) has today published a recommended standard that will help local app developers and providers enhance mobile app security. Billed the “Safe App Standard” (the “Standard”), it provides a common benchmark and guidance to local app developers and providers on the necessary security controls and best practices to better protect their applications, and in turn, their end-users, against common malware and phishing attempts¹. Overall, the Standard will boost the security posture of mobile applications deployed in Singapore and enhance the protection of user data and app transactions. 

2.     According to CSA’s 2022 Cybersecurity Awareness Survey, over eight in 10 of 1,051 respondents reported installing utility applications such as banking, e-commerce and transportation applications on their mobile devices. With increasingly prevalent mobile app usage, many users could be exposed to potential risks such as monetary loss and unauthorised access to their confidential data. 

3.     The Safe App Standard will also be updated in view of the evolving risk landscape. The first version of the Standard published today is targeted at applications that perform high-risk transactions; defined as those that allow transactions with some or full access to users’ financial accounts, which when compromised, can possibly result in significant monetary losses. These transactions include changes to financial functions such as registration of third-party payee details and increase of fund transfer limit. The Standard focuses on four critical areas commonly targeted by threat actors. These are: 

• Authentication - Authentication is an essential component of many mobile applications. These applications commonly employ various forms of authentication, including biometrics, personal identification numbers, or multi-factor authentication code generators. Ensuring the authentication mechanism is secure and implemented following industry best practices is crucial to validate user identity and ensure legitimate access.
• Authorisation - Authorisation security operates in conjunction with authentication security. Authorisation security in mobile applications is a crucial line of defence as it determines access rights to the relevant resources within an app. It creates systematic controls and validates user access rights within an application. 
• Data Storage (Data-at-Rest) - Data storage (Data-at-Rest) pertains to safeguarding the integrity and confidentiality of sensitive data such as personally identifiable information stored locally on the user’s device and application server when it is not actively being used or transmitted.
• Anti-Tampering and Anti-Reversing - Anti-tampering and anti-reversing security controls such as anti-malware detection and anti-keystroke capturing are additional measures that developers can implement to counter malicious actors attempting to tamper with or compromise their applications. By including these features, developers make it more difficult for attackers to steal. 

4.     The Safe App Standard was developed by referencing established industry standards. These include the Open Web Application Security Project, the Payment Card Industry Data Security Standard and European Union Agency for Network and Information Security. The Standard was finalised after consultation with various organisations, including local government agencies, financial institutions, e-commerce companies, consultancy firms and technology companies. 

5.     Developers of applications created and hosted in Singapore are encouraged to adopt CSA’s recommended Standard in their app development. By doing so, developers can ensure that their applications are secure, and their users are protected. Members of public can thus benefit from more secure online transactions.

*** End ***

¹ The Safe App Standard can be downloaded at here.

About the Cyber Security Agency of Singapore