Singapore's guidelines to bolster mobile app security are optional - for now
Singapore has released guidelines designed to help developers adopt the necessary security controls and best practices to better safeguard users against common malware and phishing attacks.
Called Safe App Standard, it offers a common benchmark that guides local developers on steps to take to enhance mobile app security, according to the Cyber Security Agency of Singapore (CSA). The move aims to boost the security posture of mobile apps in Singapore and protect user data and app transactions, the government agency said.
Also: 9 top mobile security threats and how you can avoid them
Citing figures from its 2022 Cybersecurity Awareness Survey, CSA said 80% of respondents had installed utility apps such as banking, e-commerce, and transportation apps on their mobile devices. "With increasingly prevalent mobile app usage, many users could be exposed to potential risks such as monetary loss and unauthorized access to their confidential data," it said.
The Safe App Standard is designed for apps that perform high-risk transactions, or apps that allow transactions with some or full access to the user's financial accounts. This data, if compromised, can result in significant monetary losses, the agency said, adding that such transactions involve changes to financial functions, including registration of third-party payee details and increase of fund transfer limit.
The 46-page Safe App Standard document outlines steps to take across four key areas commonly targeted by threat actors, namely, authentication, authorization, data storage, and anti-tampering and anti-reversing.
Mobile apps typically tap various forms of authentication including biometrics and multi-factor authentication code generators. Hence, it is important that such mechanisms are secure and implemented according to industry best practices, when used to validate user identity and provide legitimate access.
Also: 5 quick tips to strengthen your Android phone security today
And since authorization runs parallel with authentication security, it provides a critical line of defense for mobile apps as it determines access rights to relevant resources within the app.
Anti-tampering security controls, such as anti-malware detection and anti-keystroke capturing, also provide additional protection against malicious attempts to compromise or tamper with the mobile apps. Developers that integrate these features will make it tougher for attackers to breach the app.
The Safe App Standard was designed based on references from established industry standards, CSA said, including Open Web Application Security Project, Payment Card Industry Data Security Standard, and the European Union Agency for Network and Information Security.
It also was finetuned on consultation with various organizations, including local government agencies, financial institutions, e-commerce operators, consultancies, and technology vendors.
Also: Singapore government sees rise in security incidents amid increased data sharing
While the guidelines are not mandatory, CSA is encouraging app developers in Singapore to adopt the recommended standard to ensure their apps are secure and their users protected when performing online transactions.
The standard will help developers "design for security", including built-in malware detection capabilities, and reduce the risk of threat actors exploiting weaknesses in apps, said communications and information minister Josephine Teo.
She said the standard could be mandated in the future if it is proven to be useful.
CSA added that the standard will be updated as the threat landscape evolves.