CSA Publishes Safe App Standard Version 2.0

1              The Cyber Security Agency of Singapore (CSA) published the “Safe App Standard 2.0” (“SAS 2.0”) today, which is an updated version of the first SAS published in January 2024. SAS 2.0 aims to strengthen the overall security posture of mobile apps deployed in Singapore, and better safeguard app transactions and user data. 

2              SAS 2.0 continues to focus on high-risk apps with transactions that could result in significant financial losses. These high-risk transactions allow for modifications to financial functions, including the registration of third-party payee information and increase of fund transfer limits. It will introduce four new key areas, namely, network communication, cryptography, code quality and exploit mitigations, as well as platform interactions. These enhancements are essential in providing app developers and owners with comprehensive guidelines to fortify the security of their mobile apps. The four new areas are: 

i.               Network Communication – Data transmitted by apps for various functions can be intercepted by attackers aiming to steal or alter sensitive information. Network communication controls protect data communicated between the app and servers from electronic eavesdropping or alteration by encrypting it with secure protocols and making sure data is sent only to trusted servers.

ii.             Cryptography – Sensitive data handled on mobile devices is vulnerable to breaches, particularly when weak cryptographic algorithms are used. Cryptography controls provide an additional layer of protection to ensure the confidentiality and integrity of data by using strong cryptographic algorithms in encryption and digital signatures, and by securely managing cryptographic keys to minimise the risk of compromise.

iii.            Code Quality and Exploit Mitigation – Open-source software libraries and developer code can introduce vulnerabilities into the app if not properly reviewed and tested before use. Code quality and exploit mitigation controls can help to detect and mitigate software vulnerabilities and common coding bugs. Developers should ensure that the app’s software and code are updated and adhere to secure coding practices. 

iv.             Platform Interactions – Interactions between the app and the operating system can be exploited by attackers to inject malicious code or extract data. Platform interaction controls ensure that developers implement security measures for operating system features such as keyboards and in-app links which lead to webpages.

3              These are additions to the four key areas covered previously in the first version of the SAS, which are:  

v.              Authentication – User accounts provide access to sensitive data, making them prime targets for attackers who steal credentials to gain unauthorised access. Authentication controls are essential to validate user identity and ensure legitimate access, by employing multiple authentication factors, such as biometrics and cryptographic tokens, and securing user sessions.

vi.             Authorisation – Apps use permissions to manage user access to resources, features, and data, and users can grant the app permissions to use certain functions on their devices. Attackers can manipulate poorly configured permissions to gain unauthorised access or perform actions without consent. Authorisation controls validate access rights to app resources and device functions by securely implementing permissions on both server- and client-sides, whilst maintaining user transparency.

vii.            Data Storage – Sensitive information stored by apps is attractive to attackers aiming to exfiltrate it from devices and servers. Data storage controls safeguard sensitive data in app servers and user devices against data theft by storing only necessary data, encrypting them, and deleting the data when no longer needed.

viii.           Anti-Tampering and Anti-Reversing – Publicly distributed apps are vulnerable to reverse engineering and tampering, which can lead to data leaks and financial losses. Anti-tampering and anti-reversing controls prevent modifications to and the compromise of the app by ensuring they run only on secure platforms and attempts at tampering of the source code and runtime environments can be detected.

4              Overall, SAS 2.0 will cover security controls in eight key areas to improve mobile security. SAS 2.0 referenced established industry standards, including those set by the Open Web Application Security Project, the European Union Agency for Network and Information Security, the Payment Card Industry Data Security Standard, and the National Institute of Standards and Technology. It was refined and finalised following extensive consultations with a diverse range of stakeholders, such as local government agencies, financial institutions, e-commerce companies, consultancy firms, cybersecurity firms, academic institutions, and technology companies. 

5              CSA strongly encourages developers of apps that are both developed and hosted in Singapore to adopt CSA’s SAS 2.0 in their app development. Adoption of this standard will fortify apps against common malware and phishing attacks.  Consequently, this leads to a more secure environment for online financial transactions, which will instil greater confidence in app transactions among members of the public.

About the Cyber Security Agency of Singapore 

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. 

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Digital Development and Information. For more news and information, please visit www.csa.gov.sg.