Mobile Finance App Security Compliance in Pakistan


    The State Bank of Pakistan has provided specific guidelines regarding financial mobile app security requirements and compliance. This page outlines these requirements and demonstrates how Guardsquare's solutions can help you meet them effectively.

    In 2022, the State Bank of Pakistan issued Circular #01 to all Banks, Microfinance Banks (MFBs), Payment System Operators (PSOs), Payment Service Providers (PSPs), and Electronic Money Institutions (EMIs). The Circular establishes baseline mobile app security requirements as detailed in the Mobile Applications (Apps) Security Guidelines document.

    This page provides a structured overview of these guidelines, correlating each requirement with the relevant chapter and section from the official document and illustrating how Guardsquare's solutions can assist in achieving compliance.

    How to read this document

    • Document Location: References to specific sections within the State Bank of Pakistan's guidelines.
    • Requirement: Summarizes the security requirement stipulated in the guidelines.
    • How Guardsquare Can Help: Describes how Guardsquare's tools and solutions address each requirement.

    Guidelines and Solutions

    Document location Requirement How Guardsquare can help
    Chapter 7. Mobile App Security Requirements
    G-i App owners shall implement necessary checks on the server-side to verify mobile app integrity and to detect any manipulation. In addition to client-side checks provided by Guardsquare DexGuard and iXGuard, Guardsquare ThreatCast enables server-to-server integration to inform the application server-side about mobile threats.
    G-ii App owners shall ensure that installation of mobile apps is not allowed on rooted/jail broken devices Guardsquare DexGuard and iXGuard implement root and jailbreak detections as a layer of mobile application protection.
    G-iii App owners shall ensure that mobile apps are not allowed to run inside a debugger/emulator. For this purpose, mobile apps shall have debugger/emulator detections in place. Further, app owners shall not allow any third party to debug the application during runtime. Guardsquare DexGuard and iXGuard implement a diverse set of environment safety checks, including (but not limited to) debugger and emulator detection.
    I-ii App owners shall ensure that security libraries offered by mobile operating systems are correctly designed and implemented and that the cipher suites they support are sufficiently strong. Guardsquare AppSweep is a tool for automated mobile application security scanning. AppSweep includes checks for strong cipher suites, sufficient key length, and common mistakes such as bad initialization vectors or insecure random number generation.
    I-v App owners shall ensure that code signing is used for the mobile app to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. In addition to the operating system security features, Guardsquare DexGuard and iXGuard implement application integrity checks that verify integrity of the signing information, as well as its correspondence to the original signature.
    I-vii App owners shall ensure that minification and source code obfuscation techniques are used in the mobile apps.

    Guardsquare is the market leader for mobile application protection. Guardsquare DexGuard and iXGuard implement and continuously perfect code obfuscation techniques to provide protection against static analysis.

    In addition to static code obfuscation, Guardsquare products implement powerful dynamic protection techniques to harden against dynamic analysis and tampering attempts.

    Guardsquare is also a maker of ProGuard - the technology behind the minification of Android applications that was the de-facto standard in the Android ecosystem for over a decade.

    L-i App owners shall ensure that the app usage behavior is maintained and monitored through automated mechanism and deploy tools to identify any anomaly in the usage and behavior. The mechanism shall integrate with complete process of customer support for verification to clear the anomaly for consumer protection Guardsquare ThreatCast provides an effective monitoring solution for mobile application security, identifying anomalous behavior.
    M-i Application sandbox/ containerisation Guardsquare DexGuard and iXGuard implement environment integrity checks that ensure the operating system's sandboxing and containerization function normally.
    56-i App owners shall ensure that the apps have passed through extensive and recursive vulnerability assessment, scan and intrusion tests to identify weaknesses in app through both internal and independent assessors.

    Guardsquare AppSweep provides automated mobile application security testing and vulnerability assessment.

    AppSweep allows software development teams to establish continuous security monitoring and faster fix times without having to wait for the full pentesting. In addition to that, pentesting rounds become faster and more effective if security risks identified by AppSweep are addressed before entering the pentesting process.

    Want to remain compliant with the latest regulations?