Mobile Finance App Security Compliance in India

    Introduction

    The Reserve Bank of India (RBI) has detailed specific guidelines regarding mobile financial application security compliance. This page provides an overview of these guidelines and explains how Guardsquare's solutions can help you effectively meet these requirements.

    RBI/2020-21/74 DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21

    As per Chapter 1 Paragraph 2, the regulations apply to the following regulated entities (REs):

    • Scheduled Commercial Banks (excluding Regional Rural Banks);
    • Small Finance Banks;
    • Payments Banks; and
    • Credit card issuing NBFCs.

    In its Master Direction on Digital Payment Security Controls, the Reserve Bank of India outlines comprehensive security requirements for digital payment applications.

    Below is a table that maps the RBI's requirements to specific chapters and sections of their guidelines. For each requirement, we also provide a description of how Guardsquare can help ensure compliance.

    How to read this document

    • Document Location: References to specific sections within the RBI guidelines.
    • Requirement: Summarizes the security requirement stipulated in the guidelines.
    • How Guardsquare Can Help: Describes how Guardsquare's tools and solutions address each requirement.

    Guidelines and Solutions

    Document location Requirement How Guardsquare can help
    Chapter II. GENERAL CONTROLS.
    5 REs shall incorporate appropriate processes into their governance and risk management programs for identifying, analysing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis and in a holistic manner. Guardsquare provides mobile security on every phase of the secure development lifecycle: starting from security best practices, and ending with runtime monitoring.
    18 The mobile application and internet banking application should have effective logging and monitoring capabilities to track user activity, security changes and identify anomalous behavior and transactions. Guardsquare ThreatCast provides an effective monitoring solution for mobile application security, identifying anomalous behavior. ThreatCast integrates with RE’s own fraud monitoring system enabling a holistic logging and monitoring solution.
    24 REs shall conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications to assure that the application is secure…

    Guardsquare AppSweep provides automated mobile application security testing and VA.

    AppSweep allows software development teams to establish continuous security monitoring and faster fix times without having to wait for the full PT. In addition to that, PT rounds become faster and more effective if security risks identified by AppSweep are addressed prior to entering the PT process.

    31

    REs shall refer to standards such as OWASP-MASVS, OWASP-ASVS and other relevant OWASP standards, security and data protection guidelines in ISO 12812, threat catalogues and guides developed by NIST (including for Bluetooth and LTE security), for application security and other protection measures. Such testing has to necessarily verify for vulnerabilities including, but not limited to OWASP/ OWASP Mobile Top 10, application security guidelines/ requirements developed/ shared by operating system providers/ OEMs.

    AppSweep is a mobile specific MAST tool and it takes into consideration the OWASP MASVS, and its OWASP MSTG, as mobile specific standard.

    Specifically, AppSweep has built analysis capabilities that test for findings in each of the categories of the OWASP MASVS, using the current MASTG as guidance.

    How to check for mobile-specific OWASP violations in AppSweep:

    As soon as AppSweep finishes the scan of the app, you can use the OWASP filtering option to check for any violations against the different levels of the OWASP standard directly in the scan results.

    Where applicable you can also use the additional information of the MASTG to read up on additional information about the issue. The relevant sections of the MASTG are directly linked from the details page of a finding.

    Chapter IV. MOBILE PAYMENTS APPLICATION SECURITY CONTROLS.
    56-a Device policy enforcement Guardsquare DexGuard and iXGuard implement environment integrity checks that verify and ensure the execution environment is secure from threats aimed at reverse engineering and tampering with the application execution flow.
    56-b Application secure download/ install Guardsquare DexGuard and iXGuard application integrity controls ensure that the application that was installed on the user’s device is the same as made by the developer, and does not contain any modifications.
    56-e Device or application encryption Guardsquare DexGuard and iXGuard provide various obfuscation and encryption features to harden reverse engineering and tampering.
    56-g Application sandbox/ containerisation Guardsquare DexGuard and iXGuard implement environment integrity checks that ensure the operating system's sandboxing and containerization function normally.
    56-i Code obfuscation

    Guardsquare is the market leader for mobile application protection. Guardsquare DexGuard and iXGuard implement and continuously perfect code obfuscation techniques to provide protection against static analysis.

    In addition to static code obfuscation, Guardsquare products implement powerful dynamic protection techniques to harden against dynamic analysis and tampering attempts.

    58 REs may explore the feasibility of implementing a code that checks if the device is rooted/ jailbroken… Guardsquare DexGuard and iXGuard implement root and jailbreak detections as a layer of mobile application protection.

    Want to remain compliant with the latest regulations?