On January 10th 2024 the Cyber Security Agency of Singapore (CSA) published V1.0 of the Singapore Safe App Standard.  This is intended to help  app developers and providers enhance mobile app security. The standard provides a common security benchmark and guidance to app developers and providers on the necessary security controls and best practices to better protect any mobile applications, and in so doing, enhance the protection of user data and app transactions.  It is intended to cover apps developed or deployed in Singapore.

This standard builds on previous work such as OWASP MASVS. These recommendations should be used to secure and test your mobile apps and can also be used to evaluate the effectiveness of security solutions. It is therefore important that vendors make very clear how their solutions fit with the framework. 

Approov is a leading provider of end-to-end mobile app protection and is very supportive of this initiative by the CSA. This blog introduces the Singapore Safe App Standard and  summarizes how the Approov solution can help enterprises align their mobile app security with the guidelines. More information about how Approov aligns with MASVS can be found here. 

History of The Singapore Safe App Standard

The Safe App Standard was developed by the Cyber Security Agency of Singapore (CSA) in consultation with industry partners from financial institutions, tech organizations, consultancy firms, and government agencies.

The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines, first issued in 2013,  established a set of best practices that financial institutions in Singapore must follow to manage their technology risks. The TRM Guidelines were updated in 2021.   These MAS TRM Guidelines include a number of specific requirements for mobile application security: including putting in place app attestation and anti-tampering and also the recommendation to implement certificate pinning between apps and backend services.  

The Safe App Standard references expands on these recommendations and references industry standards from the Open Web Application Security Project (OWASP), the European Union Agency for Network and Information Security (ENISA) and the Payment Card Industry Data Security Standard (PCI DSS)

The Safe App Standard is intended to evolve in view of the evolving risk landscape. V1.0 is targeted at applications that perform high-risk transactions; defined as “those that allow transactions with some or full access to users’ financial accounts, which when compromised, can possibly result in significant monetary losses”.  

There is currently no enforcement element, but developers of applications created and hosted in Singapore are encouraged to adopt the standard in their app development. 

What is Covered by the Safe App Standard

The Standard focuses on four critical areas commonly targeted by threat actors. These are: 

• Authentication - Applications commonly employ various forms of authentication, including biometrics, personal identification numbers, or multi-factor authentication code generators. Ensuring the authentication mechanism is secure and implemented following industry best practices is crucial to validate user identity and ensure legitimate access.
• Authorisation - Authorisation security operates in conjunction with authentication security. Authorisation security in mobile applications is a crucial line of defense as it determines access rights to the relevant resources within an app. It creates systematic controls and validates user access rights within an application. 
• Data Storage (Data-at-Rest) - Data storage (Data-at-Rest) is all about safeguarding the integrity and confidentiality of sensitive data such as personally identifiable information stored locally on the user’s device and application server when it is not actively being used or transmitted.
• Anti-Tampering and Anti-Reversing - Anti-tampering and anti-reversing security controls such as anti-malware detection and anti-keystroke capturing are additional measures that developers can implement to counter malicious actors attempting to tamper with or compromise their applications. By including these features, developers make it more difficult for attackers to steal.

What Aspects of Mobile Security Are Not Covered by the Safe App Standard

It is interesting to note that some elements of the comprehensive OWASP MASVS recommendations are not addressed in the Safe App Standard. The CSA have clearly decided to focus on some elements of mobile app security - and other aspects will certainly be addressed in later versions of the standard.

These elements of MASVS are covered by the Safe App Standard: 

• MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest). This was vastly simplified down to only 2 controls, providing a good illustration of how everything was cleaned up in V 2.0.0. 
• MASVS-AUTH: This concerns authentication and authorization mechanisms used by the mobile app. The latest release of MASVS-AUTH cleanly separates client-side and server-side authentication, using the OWASP Application Security Verification Standard (ASVS). 
• MASVS-RESILIENCE: This covers resilience to reverse engineering and tampering attempts. Obfuscation or code hardening are still advised as a protection against static analysis (in MASVS-RESILIENCE-3) but in V2.0.0 there is a realization that obfuscation is necessary but not sufficient, and that there is an evolving need to protect apps from increasingly sophisticated attacks. This brings a new emphasis in MASVS and MASTG on protecting against dynamic analysis and run time tampering of the app and the client environment it runs on.

These elements of MASVS that are not covered in the Singapore Safe App standard: 

• MASVS-NETWORK: This covers secure network communication between the mobile app and remote endpoints (data-in-transit). The latest release of MASVS addresses head-on some of the confusing guidance (e.g. from Apple and Google!) around certificate pinning and makes it very clear that pinning is absolutely required in order to provide the highest levels of channel security (this in  itself  is a topic for another blog!)
• MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
• MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
• MASVS-CRYPTO: This concerns the cryptographic functionality used to protect sensitive data. In V2.0.0.  This was also simplified and aligned with NIST standards NIST.SP.800-175B and NIST.SP.800-57p1. There are two controls, the second (MASVS-CRYPTO-2)  ensures that the app performs key management according to industry best practices.  

What Approov Does

Approov provides a unique and patented run-time shielding solution which is easy to deploy and protects your APIs and the channel between your apps and APIs from any automated attack. It uses a cryptographically signed “Approov token” to allow the app to provide proof that it has passed the runtime shielding process.

Integration involves including an SDK in your mobile app via a mobile app quickstart and adding an Approov token check in your backend API implementation. A full set of frontend and backend Quickstarts are available to facilitate integration with common native and cross-platform development environments.

Additionally, Approov provides a runtime secrets capability whereby app secrets are only delivered just-in-time to the app if it passes attestation. These secrets can then be used by the app, including as API keys to authenticate access to other APIs. In this case no modification to the backend API is required at all, making integration very fast and straightforward.

In summary, Approov provides the following security features which are relevant to both the Singapore TRM Guidelines and the Singapore Safe App Standards: 

• App Attestation: Effective across all app development and deployment platforms and app stores, Approov allows only genuine mobile app instances, running in safe environments, to access your API and blocks all scripts, bots, modified apps and fake apps from accessing your API. Only apps that have been registered with the Approov service and which meet the runtime environmental criteria are issued with valid JWT Approov tokens. App registration can be immediately added and revoked from the Approov service, allowing tight control of which app versions can access your API.
• Client Environment Integrity: Approov Run Time Application Self Protection (RASP) detects a full range of potentially unsafe mobile device environments including device rooting/jailbreaking, emulator or debugger usage, malicious instrumentation frameworks, and cloned apps. Customers can specify which policies should be enforced in a highly granular way. Changes to security policies roll out immediately to active apps without the need to update the apps. 
• Man-in-the-Middle Protection: Approov provides full protection against Man-in-the-Middle (MitM) attacks by providing fully pinned communications channels between apps and APIs. The solution provides dynamic certificate management and over the air secret updates (to immediately rotate secrets if they are stolen from cloud repositories, or if third party API keys are changed) to ensure service continuity without the need to update applications. Devops teams are often concerned about implementing pinning because of risk of service-interruption: Approov delivers secure over-the-air instant pin updates with no management headaches or service disruptions, keeping DevOps teams happy.
• Secret Management: The secure management of critical secrets used in mobile apps such as API keys is included in the Approov solution. The way Approov combines app attestation, RASP and secret management is unique in the market. As well as removing secrets completely from code, Approov prevents ANY stolen secrets being used by scripts or tools to access APIs. Other mobile app hardening or obfuscation solutions make stealing secrets harder but never impossible, and do not mitigate the threat of secrets being acquired by bad actors from code repositories and cloud storage. Another key feature is that Approov enables the management of secrets for any third party services used by the app.
• Over-the-air Updates: In order to allow dynamic and rapid reaction to changing threats, policies can be modified and certificates and pins can be updated over-the-air without the need to update and roll out new versions of an application. This is a key feature of Approov, enabling devops teams to dynamically manage the security posture and manage secrets and keys without ever having to update apps. 
• Analytics and Reporting: To simplify reporting, audit and compliance, Approov analytics shows what is happening in your service, with real-time and historical data. Information is presented via a dashboard presenting a top level view and then allowing deeper investigation via the various graphs and options which are available. This is important not only to measure and report on the effectiveness of the solution but also to help secure and maintain regulatory compliance.

How Approov Addresses the Singapore Safe App Standard

The Approov solution itself is implemented in a way that satisfies the first 3 sections (for Authentication, Authorization and Data Storage: see this description of the Approov Security Architecture. 

The Approov solution systematically protects deployed apps from the threats in SECTION 4. Anti-Tampering & Anti-Reversing. These security controls ensure that apps run on trusted platforms, prevent tampering at runtime and ensure the integrity of the apps’ functionalities. In addition, the controls impede comprehension by making it difficult for attackers to figure out how the apps operate. We will look at each in detail:

RESILIENCE-BP01 Sign with certificates from official app stores.

This control is focused on checks which verify the integrity of the application, ensuring it has not been modified or repackaged. It can also focus on guaranteeing the runtime integrity of the application and the resources it depends on. However, dependence on official app store mechanisms is not the best approach: both Google and Apple are now allowing alternative app stores and sideloaded apps after pressure from the EU. 

Approov captures signatures of valid apps and checks that the correct code is present at runtime. Tampering attempts are detected and prevent the app receiving valid Approov tokens or runtime secrets.

Approov analyzes the runtime memory space of the app sandbox and compares this to the expected layout. Mismatches are reported to the Approov cloud, allowing direct reporting and ensuring such an app does not receive valid Approov tokens or runtime secrets.

RESILIENCE-BP02 Implement jailbreak/root detection.

RESILIENCE-BP03 Implement emulator detection.

RESILIENCE-BP04 Implement anti-malware detection.

RESILIENCE-BP05 Implement anti-hooking mechanisms.

These controls are aimed at ensuring the mobile platform (Android, iOS etc.) have not been compromised in a way that gives an advantage when performing reverse engineering or manipulation of the app. This requirement includes a focus on root/jailbreak detection, virtual environment detection, as well as device attestation in order to guarantee the authenticity of the user device.

Various root and jailbreak detection approaches are integrated into the Approov SDK. This can be configured so the app can report the detection, as well as ensuring the app does not receive valid Approov tokens or runtime secrets. A range of debug detection approaches are also integrated into the Approov SDK, covering low level and high level debug attachments. 

Approov has a range of specific detections for common instrumentation frameworks, such as Frida. Mechanisms are also in place to detect late attachment after the app has started. Further countermeasures are in place to detect the presence of hooking on key methods that might otherwise be used to prevent the detection of instrumentation frameworks.

Also,  various checks are in place for both Android and iOS to determine if execution is on an emulator or simulator. On iOS, specific detection is made for apps running on an arm64 based Mac. Again, a direct response can be made in the app but crucially such an app never receives valid Approov tokens or runtime secrets. Approov RASP provides ongoing anti-hooking checks on apps to prevent unauthorized access, protect high-risk transaction operations and detect and prevent tampering and modification attempts at runtime. 

RESILIENCE-BP06 Implement overlay, remote viewing, and screenshot countermeasures.

RESILIENCE-BP07 Implement anti-keystroke capturing or anti-keylogger against third-party virtual keyboards.

These controls concern application programming best-practices, but Approov can help by providing visibility to any modification of the runtime environment.

How the Safe App Standard Fits into Overall Mobile App Security

Any mobile app security program should include the following elements:

• Develop a comprehensive mobile security program
  Organizations should develop a comprehensive and robust mobile security program that includes a risk assessment process, security policies and procedures, incident response, and a training program for employees.
• Secure coding practices
  Developers should implement secure coding practices by using secure coding standards and guidelines.
• Security testing
  Developers should perform extensive testing, such as static analysis and dynamic analysis. They should test their mobile apps at all development lifecycle stages, from early development to pre-production. 
• Strong encryption
  Use of strong encryption to protect sensitive data stored or transmitted by their mobile apps is advisable. Security teams should also ensure that any deployed security solution always employs strong encryption. 
• Runtime checks
  Protection against dynamic analysis and runtime attacks is essential by using a comprehensive RASP solution such as Approov. 

Conclusion 

The TRM Guidelines and the Singapore Safe App Standard together provide a comprehensive set of best practices for mobile application security. App developers should endeavor to comply with these guidelines, as well as OWASP MASVS to be better positioned to defend their mobile applications and protect their customers.

For more information on Approov's API Threat Protection, try out our free demo today.