Singapore – Aiming to strengthen the overall security posture of the country, the Cyber Security Agency of Singapore has recently released new guidelines to the ‘Safe App Standard 2.0’. This strategic move is an updated version of the January 2024 edition, which further protects app transactions and user data from mobile apps deployed in Singapore.
As an upgraded version, SAS 2.0 specifically prioritises high-risk apps with transactions that could lead to significant financial losses.
According to the agency, these high-risk transactions enable modifications to financial functions such as the registration of third-party payee information and the increase of fund transfer limits.
It will also introduce four new key areas, including network communication, cryptography, code quality and exploit mitigations, and platform interactions. These enhancements are essential in providing app developers and owners with comprehensive guidelines to fortify the security of their mobile apps.
Additions to the four key areas covered previously in the first version of the SAS also encompass (1) authentication, where multiple authentication factors, such as biometrics and cryptographic tokens, and securing user sessions are employed; (2) authorisation, where apps use permissions to manage user access to resources, features, and data, and users can grant the app permissions to use certain functions on their devices; (3) data storage that safeguards sensitive data in app servers and user devices against data theft; and lastly (4) anti-tampering and anti-reversing, where system controls prevent modifications to and the compromise of the app.
The new guidelines will also cover security controls in eight key areas to enhance mobile security. SAS 2.0, in particular, referenced established industry standards like those set by the Open Web Application Security Project, the European Union Agency for Network and Information Security, the Payment Card Industry Data Security Standard, and the National Institute of Standards and Technology.
This underwent further refinement after extensive consultations across a diverse range of stakeholders, including local government agencies, financial institutions, e-commerce companies, consultancy firms, cybersecurity firms, academic institutions, and technology companies.
With the new guidelines, CSA strongly encourages developers of apps that are both developed and hosted in Singapore to adopt CSA’s SAS 2.0 in their app development. Adoption of this standard will fortify apps against common malware and phishing attacks.
