Singapore TRM Guidelines for Mobile Application Security

The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines are a set of best practices that financial institutions (FIs) in Singapore must follow to manage their technology risks. The TRM Guidelines were first issued in 2013 and were updated in 2021 to reflect the changing technological landscape and the growing threat of cyberattacks.

Mobile applications are a key part of the digital transformation of FIs, and they play an increasingly important role in delivering financial services to customers. However, mobile applications also pose a number of unique security risks. For example, mobile apps can risk tampering, malware attacks, data breaches, and unauthorized access and are often targeted by malicious attackers looking to exploit vulnerabilities and steal sensitive data. This puts the customer’s data at risk and poses a serious threat to the FI’s reputation and, eventually, its revenue.

The MAS TRM Guidelines include a number of specific requirements for mobile application security, detailed in annex C. In this blog post, we will discuss the key requirements of the TRM Guidelines for mobile application security and provide some guidance on how FIs can comply with these requirements.

Key requirements of the TRM Guidelines for mobile application security

The following are some of the key requirements of the TRM Guidelines for mobile application security:

• Data encryption: App developers must encrypt all sensitive data stored or transmitted by their mobile applications. This includes data such as customer names, addresses, social security numbers, and account information.
• Secure encryption keys: Developers must protect their private encryption keys from unauthorized access. This can be done by storing the keys in a secure location, such as a hardware security module (HSM).
• Anti-hooking and anti-tampering mechanisms: Implementing anti-hooking and anti-tampering mechanisms is essential to prevent malicious code from being injected into mobile applications, like a script which changes the behavior or allows the bypass of a security feature or check (e.g. bypassing ssl pinning, or tampering to identify secure keys or application behavior). Using code obfuscation techniques and by verifying the integrity of the application code at runtime, you can protect your apps and SDKs.
• Application integrity checks: Application integrity checks verify the authenticity and integrity of the mobile applications. This can be done by using checksums or digital signatures.
• Certificate or public key pinning: FI app developers must implement certificate or public key pinning to protect against man-in-the-middle (MITM) attacks. This involves not only verifying the identity of the server that the mobile application is communicating with but also relies on anti-tampering techniques to ensure the certificate pinning cannot be bypassed.
• Secure in-app keypad: A secure in-app keypad can help mitigate against malware that captures keystrokes. This can be done using a virtual keyboard or by encrypting the keystrokes.
• Device binding: Device binding is about ensuring the authenticity of the authentication and access by a particular application, it can prevent attacks that reuse credentials or attempt to access APIs from outside the trusted device. Relying on a unique device identifier is one way to solve this, but is increasingly difficult due to privacy concerns and restrictions from Apple/Google, an asymmetric cryptography approach as detailed in this blog post can be an alternative way.

In addition to these specific requirements, the TRM Guidelines also require FIs to have a comprehensive mobile application security program in place. This program should include the following elements:

• Risk assessment: Organizations should conduct a risk assessment to identify the security risks associated with their mobile applications. This assessment should take into account the type of data that the applications store and transmit, the platforms that they support, and the way that customers use them. Continuous security assessments on mobile applications help identify and address any vulnerabilities.
• Implement application security measures: Develop and deploy mobile applications in a secure manner. This includes using secure coding practices, performing regular security testing, and implementing secure SDLC processes.
• Incident response: Institutions should have a plan in place to respond to security incidents involving their mobile applications. This plan should include steps to contain the incident, investigate the cause of the incident, and remediate the incident.

How to comply with the TRM Guidelines for mobile application security

There are a number of steps that FIs can take to comply with the TRM Guidelines for mobile application security. These include:

• Develop a comprehensive mobile security program

  Organizations should develop a comprehensive mobile security program that includes a risk assessment process, security policies and procedures, and a training program for employees on mobile security best practices.

• Secure coding practices

  Developers should implement secure coding practices by using secure coding standards and guidelines, such as the OWASP Mobile Security Project Top 10.

• Security testing

  Developers can perform security testing on their mobile apps using protection tools supporting techniques, such as static analysis and dynamic analysis, that set organizations up for successful penetration testing. They should test their mobile apps at all development lifecycle stages, from early development to pre-production. Free MAST tools like Guardsquare’s AppSweep provide developers with actionable recommendations for quickly and effectively addressing security issues in the app's code and dependencies.

• Strong encryption

  Use of strong encryption to protect sensitive data stored or transmitted by their mobile apps is advisable. For example, the use of AES-256 encryption to encrypt data stored on mobile devices and data transmitted over APIs.

• Code obfuscation

  Code obfuscation is a specific technique or practice that increases the complexity of a mobile app’s code and hides data, making it less susceptible to inspection and analysis.

• Runtime checks

  Gaining protection against dynamic analysis is essential using Runtime Application Self Protection (RASP). RASP checks injected automatically at different places in the code with every new build invalidate any prior analysis and reverse engineering efforts made by the attacker.

Guardsquare’s proven record with financial mobile app protection

The MAS TRM Guidelines provide a comprehensive set of best practices for mobile application security. FIs that comply with these guidelines will be better positioned to protect their customers.

Guardsquare's DexGuard, iXGuard, and ThreatCast are a set of mobile app security products that provide comprehensive protection against reverse engineering, tampering, and hacking, as well as real time threat monitoring.

DexGuard is a powerful obfuscator for Android apps. It protects apps by making them more difficult to decompile and comprehend while also improving their performance and size. DexGuard also includes a number of other security features, such as anti-piracy protection and runtime integrity checks.

iXGuard is a similar solution for iOS apps. It provides protection against reverse engineering and tampering and additional features such as jailbreak and debugger detection.

ThreatCast is a real-time threat-monitoring offering that works with both DexGuard and iXGuard. ThreatCast collects and analyzes data on threats to mobile apps, such as reverse engineering attempts and tampering attempts. It then provides this data to organizations in a user-friendly dashboard so they can quickly identify and respond to threats.

Guardsquare has a proven record of successfully protecting mobile financial apps across the globe. Its multilayered approach towards app protection encompasses both static and dynamic protection and is complemented by AppSweep, which can detect potential weaknesses in an app before attackers can.

Ready to protect your financial app against reverse engineering? Connect with an expert to get started.