In June 2020, Bank Nagara Malaysia (The Central Bank of Malaysia) published Risk Management in Technology (RMiT), a policy document setting out the Bank’s requirements with regard to financial institutions’ management of technology risk.
Section 1.2 of the document states that “the Bank understands that there is a need for financial institutions to strengthen their technology resilience against operational disruptions to maintain confidence in the financial system. The growing sophistication of cyber threats also calls for the increased vigilance and capability of financial institutions to respond to emerging threats. Critically, this should ensure the continuous availability of essential financial services to customers and adequate protection of customer data.”
The policy document further states in section 1.3 that “all financial institutions shall observe minimum prescribed standards in this policy document to prevent the exploitation of weak links in interconnected networks and systems that may cause detriment to other financial institutions and the wider financial system. The control measures set out in Appendices 1 to 5 serve as a guide for sound practices in defined areas.“ Appendix 4 lists the control measures on mobile applications and devices. In this blog, I will highlight how Malaysian Banks and Fintechs can use Appdome to secure their mobile applications and comply with the Risk Management in Technology control measures.
Risk Management in Technology Control Measures for Mobile Applications
Appendix 4 of the RMiT policy document is broken into 2 paragraphs. Paragraph 1 covers customer-facing apps. It states that “digital payment, banking and insurance services involving sensitive customer and counterparty information offered via mobile devices should be adequately secured”. Paragraph 2 covers internal, employee apps. It lists additional measures specifically “for applications running on mobile devices used by the financial institution, appointed agents or intermediaries for the purpose of processing customer and counterparty information”.
Use Appdome to Comply with the Risk Management in Technology Control Measures for Mobile Applications
Appdome is a no-code mobile app security and fraud prevention platform designed to add security features to mobile apps. Appdome works with any Android and iOS app, built in any framework. Using Appdome, there are no development or coding prerequisites to build secured apps. Appdome does not require access to source code. And there is no SDK and no library to manually code or implement in the app.
Using Appdome to Comply with Paragraph 1
Here is how Appdome can help Malaysian financial institutions comply with the control measures in paragraph 1. [Note: 1 (a) refers to the first control measure in paragraph 1 and so forth.]
1 (a) ensure mobile applications run only on the supported version of operating systems and enforce the application to only operate on a secure version of operating systems which have not been compromised, jailbroken or rooted i.e. the security patches are up-to-date.
Using Appdome, banks and fintechs can build a secure version of their mobile banking app or mobile fintech app that includes Jailbreak or Root prevention. Additionally they can ensure that their apps cannot be compromised by Frida toolkits or the use of Magisk Manager or Magisk Hide.
1 (b) design the mobile application to operate in a secure and tamper-proof environment within the mobile devices. The mobile application shall be prohibited from storing customer and counterparty information used for authentication with the application server such as PIN and passwords. Authentication and verification of unique key and PIN shall be centralized at the host.
Every Appdome-secured app has extensive Runtime Application Self-Protection (RASP). ONEShield™ by Appdome protects the app from any attempts to debug, tamper or reverse engineer it, thus ensuring that the mobile application operates in a secure and tamper-proof environment.
1 (c) undertake proper due diligence processes to ensure the application distribution platforms used to distribute the mobile application are reputable.
With Appdome’s piracy prevention, Malaysian financial institutions can ensure that their mobile banking apps, ewallets and other fintech apps can only be distributed via the official app stores and cannot be resigned and redistributed by fraudsters to non-official app stores.
1 (d) ensure proper controls are in place to access, maintain and upload the mobile application on application distribution platforms.
This control measure refers to the internal DevSecOps processes inside the bank. Appdome is a Mobile DevSecOps platform that can help Malaysian banks and fintechs fully automate the process of securing and distributing mobile apps.
1 (e) activation of the mobile application must be subject to authentication by the financial institution.
Appdome’s Certified Secure™ gives the financial institution an instant validation and verification that the security required under these Risk Management in Technology control measures for mobile applications is indeed in the app. This certificate can be used as documented proof to Bank Nagara Malaysia that the app was subject to review and authentication before it was released to the public app stores.
1 (f) ensure secure provisioning process of mobile application in the customer’s device is in place by binding the mobile application to the customer’s profile such as device ID and account number.
Appdome does not conflict with device binding software. In addition, software tokens from Appdome-secured apps cannot be cloned. Encryption Keys are not stored on the device. Encryption keys are dynamically generated at runtime using AES-256.
1 (g) monitor the application distribution platforms to identify and address the distribution of fake applications in a timely manner.
Hackers, Fraudsters and Bad Actors can easily create clones of mobile applications. Most applications do not prevent decompiling the app, changing the code of the app or even injecting malicious code and resigning the app. These clones are then distributed to official and non-official app stores in the hope that unsuspecting consumers will download the fake application. With Appdome, Malaysian financial institutions can protect their apps and prevent decompiling and reverse engineering, prevent code tampering, prevent (malicious) code injection as well as prevent resigning. Additionally they can prevent non-approved app store publishing.
Using Appdome to Comply with Paragraph 2
Paragraph 2 of the control measures on mobile applications and devices covers all the mobile applications used by the financial institution’s employees. In order to comply with these control measures, the bank would either need to use a Unified End-Point Management (UEM), Mobile Device Management (MDM) or Mobile Application Management (MAM) solution or create a Secure Progressive Web Application (PWA) for each application used by the employees. In both cases, Appdome can help either with a no-code implementation of a UEM, MDM or MAM SDK or with Appdome’s SecurePWA solution,
Recommendations for CISOs Looking to Comply with the Risk Management in Technology Control Measures for Mobile Applications
Appdome makes compliance with the RMiT control measures fast and easy. As a bonus, Appdome can also help you comply with the TRM Guidelines for Mobile App Security issued by the Monetary Authority of Singapore (MAS) as well as protect your mobile banking apps against the OWASP mobile Top 10 Risks.