Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines are a set of best practices that financial institutions (FIs) in Singapore must follow to manage their technology risks. The TRM Guidelines were first issued in 2013 and were updated in 2021 to reflect the changing technological landscape and the growing threat of cyberattacks.
Mobile applications are a key part of the digital transformation of FIs, and they play an increasingly important role in delivering financial services to customers. However, mobile applications also pose a number of unique security risks. For example, mobile apps can risk tampering, malware attacks, data breaches, and unauthorized access and are often targeted by malicious attackers looking to exploit vulnerabilities and steal sensitive data. This puts the customer’s data at risk and poses a serious threat to the FI’s reputation and, eventually, its revenue.
The MAS TRM Guidelines include a number of specific requirements for mobile application security, detailed in annex C. In this blog post, we will discuss the key requirements of the TRM Guidelines for mobile application security and provide some guidance on how FIs can comply with these requirements.
The following are some of the key requirements of the TRM Guidelines for mobile application security:
In addition to these specific requirements, the TRM Guidelines also require FIs to have a comprehensive mobile application security program in place. This program should include the following elements:
There are a number of steps that FIs can take to comply with the TRM Guidelines for mobile application security. These include:
Organizations should develop a comprehensive mobile security program that includes a risk assessment process, security policies and procedures, and a training program for employees on mobile security best practices.
Developers should implement secure coding practices by using secure coding standards and guidelines, such as the OWASP Mobile Security Project Top 10.
Developers can perform security testing on their mobile apps using protection tools supporting techniques, such as static analysis and dynamic analysis, that set organizations up for successful penetration testing. They should test their mobile apps at all development lifecycle stages, from early development to pre-production. Free MAST tools like Guardsquare’s AppSweep provide developers with actionable recommendations for quickly and effectively addressing security issues in the app's code and dependencies.
Use of strong encryption to protect sensitive data stored or transmitted by their mobile apps is advisable. For example, the use of AES-256 encryption to encrypt data stored on mobile devices and data transmitted over APIs.
Code obfuscation is a specific technique or practice that increases the complexity of a mobile app’s code and hides data, making it less susceptible to inspection and analysis.
Gaining protection against dynamic analysis is essential using Runtime Application Self Protection (RASP). RASP checks injected automatically at different places in the code with every new build invalidate any prior analysis and reverse engineering efforts made by the attacker.
The MAS TRM Guidelines provide a comprehensive set of best practices for mobile application security. FIs that comply with these guidelines will be better positioned to protect their customers.
Guardsquare's DexGuard, iXGuard, and ThreatCast are a set of mobile app security products that provide comprehensive protection against reverse engineering, tampering, and hacking, as well as real time threat monitoring.
DexGuard is a powerful obfuscator for Android apps. It protects apps by making them more difficult to decompile and comprehend while also improving their performance and size. DexGuard also includes a number of other security features, such as anti-piracy protection and runtime integrity checks.
iXGuard is a similar solution for iOS apps. It provides protection against reverse engineering and tampering and additional features such as jailbreak and debugger detection.
ThreatCast is a real-time threat-monitoring offering that works with both DexGuard and iXGuard. ThreatCast collects and analyzes data on threats to mobile apps, such as reverse engineering attempts and tampering attempts. It then provides this data to organizations in a user-friendly dashboard so they can quickly identify and respond to threats.
Guardsquare has a proven record of successfully protecting mobile financial apps across the globe. Its multilayered approach towards app protection encompasses both static and dynamic protection and is complemented by AppSweep, which can detect potential weaknesses in an app before attackers can.
Ready to protect your financial app against reverse engineering? Connect with an expert to get started.