Safe App Standard 2.0: The First Look at the Enhancements for Mobile App Security from Risk Mitigation Perspectives

Disclaimer: The opinions shared are solely mine and do not represent my employer or any affiliated organizations.

Overview

Mobile applications have become deeply integrated into our lives, handling sensitive personal and financial information daily. This reliance necessitates robust security measures to safeguard user data and privacy. The Cyber Security Agency of Singapore (CSA) introduced the Safe App Standard to guide developers in creating more secure mobile applications.?

Earlier this year, the CSA released Safe App Standard 1.0, focusing primarily on providing security guidelines for high-risk apps. Building upon that foundation, the recently unveiled Safe App Standard 2.0 expands its scope, offering a more comprehensive framework that addresses a wider array of cybersecurity challenges faced by developers today.

Key Categories of Security Controls in Safe App Standard 2.0

• Authentication: This category focuses on ensuring the authenticity of users. The standard recommends employing multiple authentication factors, including inherence, possession, and knowledge-based factors. It also emphasizes securing user sessions and authentication processes.
• Authorization: This category deals with the validation and accordance of access permissions to users or apps. The goal is to protect the confidentiality, integrity, and privacy of sensitive data, as well as the integrity of actions performed within the app. The standard recommends implementing robust authorization on both the server and client sides.
• Data Storage: This category covers securing sensitive data at rest. It stresses storing only necessary data, encrypting data on both the server and client sides, and deleting data when no longer needed. The standard highlights the importance of protecting data stored by the app.
• Anti-Tampering & Anti-Reversing: These controls focus on maintaining the integrity of apps and their functionalities by ensuring the app isn't running on compromised platforms. The standard suggests detecting and defending against different types of tampering, whether on the source code or during runtime.
• Network Communication: This category concentrates on securing data in transit over the network. The standard advocates encrypting data using secure protocols and authenticating the user's device to protect sensitive information and prevent unauthorized access.
• Cryptography: This section emphasizes employing strong cryptographic algorithms for hashing, encryption, and digital signatures. The standard also advocates secure key management practices throughout the key lifecycle.
• Code Quality & Exploit Mitigations: These controls aim to ensure the integrity and availability of the app and its processes while safeguarding sensitive data. The standard suggests using updated OS versions, managing software dependencies securely, and addressing code vulnerabilities during development.
• Platform Interactions: This category addresses securing interactions between the app and external components like the OS, libraries, and device memory. The standard focuses on mitigating vulnerabilities that could arise from these interactions.

What's Updated?

Safe App Standard 2.0 includes several updates to existing controls to enhance clarity, improve alignment with industry best practices, and ensure logical categorization:

• AUTHN-BP01 (Use Multi-Factor Authentication): The updated standard further emphasizes the importance of using Multi-Factor Authentication (MFA) to validate users' identities. It highlights the need to go beyond single-factor authentication, which can be easily compromised.
• AUTHOR-BP03 (Request Minimal Permissions): Safe App Standard 2.0 strengthens this control by stressing the importance of minimizing the permissions requested from users, reducing the potential for misuse by malicious actors. Developers are encouraged to request only the permissions absolutely essential for the app's functionality.
• AUTHN-BP01a (Implement Knowledge-Based Authentication Securely): This control has been adjusted to align more effectively with the latest industry best practices for secure knowledge-based authentication methods, ensuring passwords and PINs are handled with the utmost security.
• RESILIENCE-BP07, now PI-BP03 (Handle Input Methods Securely): This control has undergone a significant shift, being repositioned from the "Anti-Tampering & Anti-Reversing" category to the "Platform Interactions" category and receiving a new name. This change reflects a broader focus on addressing security concerns related to all input methods, including keyboards and clipboards, moving beyond just keystroke capturing.

So, what are the New Key Controls?

Safe App Standard 2.0 significantly expands its scope by introducing four new cybersecurity areas, reflecting a more comprehensive approach to mobile app security:

• Network Communication (Data-in-Transit): This category focuses on securing data as it travels across networks. The standard recommends the use of secure communication protocols, such as HTTPS with TLS 1.3. It also emphasizes the importance of certificate pinning to prevent man-in-the-middle attacks. Additionally, the standard guides securely integrating APIs to protect sensitive data exchanged between apps and servers.
• Cryptography: Recognizing the crucial role of cryptography in mobile app security, version 2.0 introduces specific controls related to cryptographic algorithms and key management. The standard recommends implementing strong cryptographic hash algorithms, such as SHA-256 and SHA-384, to ensure data integrity.
• Code Quality & Exploit Mitigations: This area addresses the importance of writing secure code and mitigating potential exploits. It includes controls for checking that devices are not running known insecure OS versions, implementing mechanisms to enforce app security updates, using secure software dependencies, validating and sanitizing input and output data, handling errors properly, and managing memory securely.
• Platform Interactions: This category deals with securing interactions between the app and external components, including the OS, libraries, and device memory. The standard stresses the importance of implementing secure Inter-Process Communication (IPC) mechanisms, securing Webviews, and handling input methods securely to prevent data leakage and unauthorized access.

Mitigation Controls in the Safe App Standard

Now let's take a look on what are the actual risks we could avoid if we implement the controls correctly

1. Risk of Unauthorized Access to User Accounts

Description: Attackers frequently attempt to gain unauthorized access to user accounts, often by stealing credentials or exploiting vulnerabilities in authentication mechanisms. This risk is especially high for apps handling sensitive user data, including personal information and financial details.

Mitigation Controls:

• AUTHN-BP01: Implement Multi-Factor Authentication (MFA) to enhance account security. This involves requiring users to provide multiple authentication factors, such as something they know (password), something they have (OTP token), and something they are (biometric).
• AUTHN-BP01a: Implement robust password policies to enforce the use of strong and unique passwords. This includes setting minimum password lengths, enforcing password complexity rules, and rejecting commonly used or guessable passwords.
• AUTHN-BP01b: Securely implement possession-based authentication factors, such as OTP tokens, hardware tokens, or push notifications, to provide an additional layer of security beyond passwords.
• AUTHN-BP01c: Implement inherence-based authentication factors, such as biometric verification, securely. Ensure that biometric data is stored and processed securely, preferably within a Trusted Execution Environment (TEE).
• AUTHN-BP02: Leverage contextual factors, such as device location, device type, or network information, to add another layer of security to the authentication process. This helps to identify suspicious login attempts that deviate from the user's typical behavior.

2. Risk of Data Breaches and Data Leakage

Description: Mobile apps often store significant amounts of sensitive data, including user information and authentication data, making them attractive targets for attackers. Data breaches can lead to financial losses, identity theft, and reputational damage for both users and app providers.

Mitigation Controls:

• STORAGE-BP01: Only store sensitive data that is absolutely necessary for the app's core functionality. Minimize data collection and retention to reduce the potential impact of a data breach.
• STORAGE-BP02: Implement secure storage solutions for sensitive data on both the server-side and client-side. This includes encryption, hashing, tokenization, and appropriate access controls.
• STORAGE-BP02a: Secure sensitive data on the server-side using robust encryption algorithms and secure storage practices. Utilize techniques like hashing with salt for passwords and encryption standards like AES for other sensitive data.
• STORAGE-BP02b: If server-side storage isn’t possible, secure sensitive data on the client-side within a TEE, such as Android's ARM TrustZone or Apple's Secure Enclave. Employ secure key management practices to protect encryption keys.
• STORAGE-BP03: Delete sensitive data when it is no longer required for business purposes. Implement secure data deletion practices to ensure data is permanently removed and cannot be recovered.

3. Risk of App Tampering and Reverse Engineering

Description: Attackers can analyze, reverse engineer, and tamper with publicly distributed apps. They may modify app behavior to steal credentials, inject malware, or exfiltrate sensitive data. This risk can result in financial losses and damage to the app provider's reputation.

Mitigation Controls:

• RESILIENCE-BP01: Sign apps with certificates from official app stores (Apple App Store or Google Play Store) to ensure app authenticity and integrity. This helps to prevent the distribution of tampered apps through unauthorized channels.
• RESILIENCE-BP02: Implement root and jailbreak detection mechanisms to prevent the app from running on compromised devices. This helps to mitigate the risk of attackers exploiting vulnerabilities on rooted or jailbroken devices to access sensitive data or modify app behavior. ESILIENCE-BP03: Implement emulator detection to prevent the app from running in emulated environments, which attackers often use to analyze and reverse engineer apps.
• RESILIENCE-BP04: Implement anti-malware detection to identify and prevent malware from infecting devices and exploiting vulnerabilities within the app.
• RESILIENCE-BP05: Implement anti-hooking mechanisms to protect against attacks that attempt to modify the app's code at runtime.
• RESILIENCE-BP06: Implement countermeasures against techniques like overlays, remote viewing, and screenshots, which attackers might use to capture sensitive information displayed within the app. Employ techniques like FLAG_SECURE on Android or similar flags on iOS to restrict screenshots.

4. Risk of Insecure Network Communication

Description: Data transmitted over networks can be intercepted, modified, or stolen by attackers. This risk is particularly relevant for apps that communicate with servers to transmit sensitive user information or conduct financial transactions.

Mitigation Controls:

• NETCOM-BP01: Use secure communication protocols, such as HTTPS with TLS 1.3 or later, for all network communication. This encrypts data transmitted between the app and the server, protecting it from eavesdropping and tampering.
• NETCOM-BP02: Implement certificate pinning to verify the authenticity of the server's SSL/TLS certificate. Certificate pinning prevents man-in-the-middle attacks, where an attacker intercepts communication and presents a fraudulent certificate.
• NETCOM-BP03: Securely integrate APIs by implementing robust authentication mechanisms, input validation, and data encryption. This helps to protect sensitive data exchanged between the app and external APIs.

5. Risk of Weak Cryptography and Key Management

Description: Weak cryptographic algorithms or poor key management practices can undermine the security of sensitive data. Attackers may be able to exploit vulnerabilities in cryptographic implementations to decrypt sensitive information, forge signatures, or tamper with data.

Mitigation Controls:

• CRYPTO-BP01: Use well-vetted and industry-standard cryptographic algorithms for hashing, encryption, and digital signatures. Avoid using custom or outdated algorithms that may have known vulnerabilities.
• CRYPTO-BP02: Implement strong encryption algorithms, such as AES (symmetric) or RSA/ECC (asymmetric), with secure modes of operation. Employ encryption algorithms that provide at least 128 bits of security strength.
• CRYPTO-BP03: Utilize strong digital signature algorithms, such as ECDSA or RSA with appropriate key lengths, to ensure data integrity and authenticity. Use updated and widely recognized signature algorithms to protect against forgery and tampering.
• CRYPTO-BP04: Follow industry best practices for key management throughout the key lifecycle. Securely generate, distribute, store, and delete cryptographic keys, using secure cryptographic modules and robust key protection mechanisms.

6. Risk of Code Vulnerabilities and Exploitation

Description: Code vulnerabilities can arise from insecure coding practices, the use of outdated software libraries, or improper error handling. Attackers may exploit these vulnerabilities to gain unauthorized access to the app, data, or even the device itself.

Mitigation Controls:

• CQEM-BP01: Use the latest available OS versions and SDKs for development to take advantage of the latest security updates and patches. Outdated OS versions and SDKs often contain known vulnerabilities that can be exploited.
• CQEM-BP02: Implement mechanisms to enforce app security updates, ensuring that users are promptly notified and encouraged to update their apps when security patches are available.
• CQEM-BP03: Manage software dependencies securely, verifying the security and trustworthiness of third-party libraries and frameworks used in the app. Regularly update dependencies to address known vulnerabilities and use automated dependency management tools.
• CQEM-BP04: Validate and sanitize all input and output data to prevent injection attacks, such as SQL injection and cross-site scripting (XSS). Implement strict data validation rules and appropriate escaping techniques. CQEM-BP05: Implement proper error handling mechanisms to prevent the app from crashing or revealing sensitive information in the event of unexpected errors. Avoid disclosing detailed error messages that might aid attackers. CQEM-BP06: Manage memory securely to prevent vulnerabilities like buffer overflows, dangling pointers, and format string attacks. Implement secure coding practices to mitigate the risk of memory corruption vulnerabilities.

7. Risk of Insecure Platform Interactions

Description: Mobile apps often interact with various platform components, including the OS, libraries, and device memory. These interactions, if not properly secured, can introduce vulnerabilities that attackers might exploit to access sensitive data, manipulate app behavior, or gain control of the device.

Mitigation Controls:

• PI-BP01: Implement secure Inter-Process Communication (IPC) mechanisms to protect data exchanged between different app components or processes. Ensure that communication channels are properly authenticated and data is encrypted during transmission.
• PI-BP02: Secure WebViews, which are used to display web content within the app, by verifying the source of web content, disabling unnecessary features like JavaScript if not required, and employing secure communication protocols.
• PI-BP03: Handle input methods, such as keyboards and clipboards, securely. Consider using secure in-app keyboards to prevent sensitive data from being captured by potentially malicious third-party keyboards. Disable auto-fill and copy-paste functionalities for fields containing sensitive data.

Final Thoughts

The Safe App Standard 2.0 provides a comprehensive and practical framework that addresses key mobile security challenges in a rapidly evolving threat landscape. By aligning with it, developers can not only comply with regulatory requirements but also substantially reduce risks, as evidenced by the significant reduction in breaches when these measures are implemented correctly.

Feel free to explore the complete guide here.