Singapore’s Optional Guidelines for Strengthening Mobile App Security

Singapore has released guidelines designed to help developers adopt the necessary security controls and best practices to safeguard users against common malware and phishing attacks. Called Safe App Standard, it offers a common benchmark that guides local developers on steps to take to enhance mobile app security, according to the Cyber Security Agency of Singapore (CSA). The move aims to boost the security posture of mobile apps in Singapore and protect user data and app transactions, the government agency said. Citing figures from its 2022 Cybersecurity Awareness Survey, CSA said 80% of respondents had installed utility apps such as banking, e-commerce, and transportation apps on their mobile devices. “With increasingly prevalent mobile app usage, many users could be exposed to potential risks such as monetary loss and unauthorized access to their confidential data,” it said. The Safe App Standard is designed for apps that perform high-risk transactions, or apps that allow transactions with some or full access to the user’s financial accounts. This data, if compromised, can result in significant monetary losses, the agency said, adding that such transactions involve changes to financial functions, including registration of third-party payee details and increase of fund transfer limit. The 46-page Safe App Standard document outlines steps to take across four key areas commonly targeted by threat actors, namely, authentication, authorization, data storage, and anti-tampering and anti-reversing. The standard was designed based on references from established industry standards, CSA said, including Open Web Application Security Project, Payment Card Industry Data Security Standard, and the European Union Agency for Network and Information Security. It also was finetuned on consultation with various organizations, including local government agencies, financial institutions, e-commerce operators, consultancies, and technology vendors. While the guidelines are not mandatory, CSA is encouraging app developers in Singapore to adopt the recommended standard to ensure their apps are secure and their users protected when performing online transactions. The standard will help developers “design for security”, including built-in malware detection capabilities, and reduce the risk of threat actors exploiting weaknesses in apps, said communications and information minister Josephine Teo. She said the standard could be mandated in the future if it is proven to be useful. CSA added that the standard will be updated as the threat landscape evolves.