Addressing MAS TRM guidelines on mobile application security

Introduction

The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) guidelines set out risk management principles and best practices to guide financial institutions to establish sound and robust technology risk governance and oversight, as well as maintain IT and cyber resilience. In this guideline, there is a section on mobile application security. Financial services mobile applications are becoming a key and regular avenue on how financial institutions interact with their customers. Suffice it to say that some of the transactions performed over these mobile applications can be of significant value. Accordingly, cyber hackers are drawn to channels of high-valued transactions and are opportunistic to exploit possible vulnerabilities or fraud for financial gain. 

As financial institutions reference MAS TRM mobile application guidelines, Promon can help organizations understand how to mitigate mobile application risks with our mobile app-shielding and Runtime Application Self Protection (RASP) technologies. In this paper, we explore the areas under “Annex C: mobile application security” of the guideline where Promon addresses each of its recommendations.

How Promon SHIELD™ addresses the TRM Guidelines from the Monetary Authorities of Singapore

FROM ANNEX C: MOBILE APPLICATION SECURITY

C.1 – Security measures should be considered for securing mobile applications as follows:

a) Avoid storing or caching data in the mobile application to mitigate the risk of data compromise on the device. Data should be stored in a protected and trusted area of the mobile device.

• Secure Local Storage (SLS) is an optional feature of Promon SHIELD™ and is White Box Cryptography (WBC) backed. This security feature provides the ability to store app secrets locally on the end user device in a secure manner.

b) Protect private cryptographic keys.

• Promon Secure Application ROM (SAROM) can help to encrypt static in-app secrets (API key, certificates, …). The Application can dynamically retrieve data that is encrypted by Shielder during Shielding. All data stored using this feature will be encrypted according to the latest standards and recommendations.

c) Implement anti-hooking or anti-tampering mechanisms to prevent injection of malicious code that could alter or monitor the behaviour of the application at runtime.

• With the standard features of Promon SHIELD™, hooking frameworks installed in mobile phones will be detected. Furthermore, Promon SHIELD™ detects the presence of code hook and does not allow unauthorized code injection into the app process.

d) Implement appropriate application integrity check (e.g. using checksum and digital signature) to verify the authenticity and integrity of the application and code obfuscation techniques to prevent reverse engineering of the mobile application.

• With the standard features of Promon SHIELD™, repackaging checks will verify the digital signature of the app and able to perform the files/app integrity checks after the application has started. Promon SHIELD offers further code obfuscation capabilities for Java, JavaScript, and iOS bitcode.

e) Implement certificate or public key pinning to protect against MITMA.

• Implementing certificate/SSL pinning alone is not sufficient to prevent MITM attacks as there are several certificate pinning bypass techniques, such as using Frida to hook the app code and interfere with the validation process. Alternatively, attackers can using tools such as SSL Kill Swith2, SSL Unpinning to bypassed the certificate pinning. However, these tools have the dependencies on Xposed install in rooted/jailbreak device. Promon SHIELD™ prevents app running in unsecure devices (installed with hooking framework such as Frida, Xposed , Cydia Substrate) to stop attacker from bypassing certificate pinning. Furthermore, Promon SHIELD™ can encrypt the client certificate by implement SAROM.

f) Implement a secure in-app keypad to mitigate against malware that captures keystrokes.

• Promon SHIELD™ offers a secure text input API (in app keyboard) which protects sensitive text input against key loggers. Furthermore, Promon SHIELD™ untrusted keyboard check will allows whitelisting of trusted software keyboards to determine if the used software keyboard is trustworthy or not. Promon SHIELD™ can configure to exit the app if the keyboard in use is not in the whitelist.

e) Implement device binding to protect the software token from being cloned.

• Promon SHIELD™ offers Secure Local Storage where come with Device Binding capability. This is done by deriving the encryption keys from a combination of application package ID (bundle id), device bound identifier, customer specified token and data ID.

Want to learn more about how you can secure your apps to meet the TRM guidelines?