The Singapore Cyber Security Agency (CSA) paved the way in establishing national mobile app safety guidelines with the January 2024 introduction of the Safe App Standard. Designed in consultation with industry experts, the Safe App Standard sets a baseline of recommended security controls to ensure developers follow best practices for secure application development. The standard aims to provide peace of mind to users of high-risk apps by enhancing safety, security and protection to foster trust and resilience in the digital ecosystem.
According to the CSA, some 80% of users have installed utility mobile apps such as banking, e-commerce and transportation on their mobile devices. Targeting mobile apps developed and hosted in Singapore, which is a major global financial hub, the voluntary safe app framework aims to shield mobile apps that access financial accounts, process payments or store personal information. By applying secure coding practices and app security measures, developers can enhance the confidentiality and privacy of user data to provide assurance and a safety net in the vast digital landscape.
Building on Existing Mobile AppSec Standards
Designed in consultation with industry experts from financial services, technology companies and consulting agencies, the Secure App Standard builds on existing global cybersecurity and mobile app privacy standards such as those from the Open Web Application Security Project (OWASP), the European Union Agency for Cybersecurity (ENISA) and the Payment Card Industry Data Security Standard (PCI DSS). It also references Android and Apple developer documentation.
Aligning with defined industry standards promotes resilience and improves app risk management by providing developers with a clear roadmap for app security compliance.
This holistic approach to app security ensures that apps go beyond meeting the baseline and are protected against a wider range of cyberthreats, providing robust security for end users. – Carlos Holguera, co-chair of the OWASP Mobile Application Security Project and Principal Research Engineer, NowSecure
Safe App Standard Requirements
Based heavily on the OWASP Mobile Application Security Verification Standard (MASVS), the Secure App Standard specifies in 46 pages the comprehensive requirements across these critical areas of app data protection:
- Authentication: Emphasizes multi-factor authentication (MFA), secure session management and protections against brute-force attacks, ensuring reliable and secure access.
- Authorization: Focuses on server-side authorization, device binding and user notifications to ensure secure access, enhancing app data protection and stability.
- Data Storage: Stipulates secure storage solutions, prioritizing server-side storage and the use of Trusted Execution Environments (TEE) on mobile devices to control user access based on permissions, ensuring confidentiality and fortifying app defenses against breaches.
- Anti-Tampering & Anti-Reversing: Includes code signing, jailbreak and root detection, emulator detection, anti-malware, anti-hooking and anti-keylogger app security measures to guard against unauthorized measures such as reverse engineering that could compromise security.
Benefits of Standards Compliance
While the CSA security standard is not mandatory, and is currently optional, meeting the Secure App Standard demonstrates a commitment to secure coding practices required to build high-quality, trustworthy mobile apps. While initially designed for high-risk apps, the principles are valuable for all mobile app developers around the world.
Developers have several compelling reasons to achieve compliance with the Secure App Standard:
- Enhance Security: Following the standard’s guidelines helps developers implement robust security measures, minimizing security vulnerabilities and protecting user data in high-risk applications.
- Gain User Trust & Confidence: By demonstrating a commitment to security and data protection, developers can build trust with users, leading to greater app adoption and user satisfaction.
- Achieve Competitive Advantage: Showcasing compliance practice can differentiate a mobile app in an increasingly security-conscious market and attract a global audience.
- Future-Proof Risk Management: Following best practices for mobile application security can keep developers ahead of the curve and more easily align with potential future regulations and security standards.
How NowSecure Platform Can Help
NowSecure Platform provides mobile app security testing that can help organizations meet the Singapore Safe App Standard and other security compliance requirements. NowSecure Platform conducts comprehensive automated app security assessments that enable developers to seamlessly test for critical security issues in their development workflows.
Using SAST, DAST, IAST, and API security testing, NowSecure Platform can uncover security issues in the authentication, authorization and data storage areas of the standard. Teams can also use the NowSecure Platform Policy Engine to identify findings that have implications for the Singapore Safe App Standard and build a custom policy to reinforce the parts of the standard important to the organization’s risk profile, filtering results of the app vulnerability assessment to only those relevant to them. By leveraging NowSecure Platform, development and security teams can also validate the implementation of multi-factor authentication, secure authorization processes and ensure that data at rest is properly encrypted and not stored locally on a device, all of which are crucial for complying with regional cybersecurity frameworks and safeguarding mobile transactions.
NowSecure Platform can also help organizations ensure that anti-tampering and anti-reversing techniques have been applied to the mobile apps. This functionality is vital for protecting apps from sophisticated attacks such as code tampering and reverse engineering. Ensuring that apps have proper anti-tampering measures and resist reverse engineering efforts is essential for maintaining the integrity and confidentiality of app data. Using NowSecure and NowSecure partners, developers can ensure their applications are fortified against such vulnerabilities, upholding the high standards of mobile app security required by both industry guidelines and the Singapore Safe App Standard.
While the Safe App Standard focuses on OWASP MASVS-AUTH, MASVS-STORAGE and MASVS-RESILIENCE, OWASP and NowSecure encourage developers and mobile application security teams to consider adopting the full OWASP MASVS for comprehensive risk management. “This holistic approach to app security ensures that apps go beyond meeting the baseline and are protected against a wider range of of cyberthreats, providing robust security for end users,” says Carlos Holguera, co-chair of the OWASP Mobile Application Security Project and a NowSecure principal mobile research engineer.
NowSecure recently announced the industry’s first automated OWASP MASVS v2.1 mobile app security and privacy testing. With this announcement, NowSecure launched a new OWASP MASVS report in NowSecure Platform that empowers development and security teams to comprehensively test to the MASVS v2.1 industry standard and easily demonstrate to key stakeholders that their mobile apps uphold the highest levels of security and user privacy.
NowSecure further supports organizations aiming to fully meet the OWASP MASVS with manual assessments, offering the only OWASP MASVS pen testing available through NowSecure Pen Testing as a Service. Our team of mobile app security and privacy experts will use advanced tooling, expertise, and the latest OWASP Mobile Application Security Testing Guide to fully interrogate mobile apps to ensure alignment with the standard and identify areas for improvement. By combining both the automated OWASP MASVS testing and the manual assessments through NowSecure PTaaS, organizations can establish a seamless, integrated workflow that meets the industry-leading standard and ensures compliance throughout rapid development and deployment cycles.
Assess Your Own Apps
Regardless of where mobile apps are developed or hosted in the world, the Singapore Safe App Standard framework provides essential guidelines to enhance data protection and maintain the security of high-risk mobile apps. By adhering to this standard and using advanced mobile application security testing tools like NowSecure Platform, developers and security teams can significantly reduce vulnerabilities, foster trust and achieve competitive advantage. Get a demo of NowSecure Platform today.
