The Technology Risk Management (TRM) Guidelines published by the Monetary Authority of Singapore (MAS) are, by and large, considered the benchmark of compliance standards for all regulated Financial Institutions (FIs). The Preface makes references to the fact that the “underlying information technology (IT) infrastructure supporting financial services has grown in scope and complexity in recent years;” so too has the threat landscape by nefarious intent and sophistication.
TRM Guidelines for Mobile Application Security
The latest version of the TRM Guidelines was published in January 2021. Annex C specifically talks to Mobile Application Security. The following 7 security measures should be considered for securing mobile apps.
- Avoid storing or caching data in the mobile application to mitigate the risk of data compromise on the device. Data should be stored in a protected and trusted area of the mobile device;
- Protect private cryptographic keys;
- Implement anti-hooking or anti-tampering mechanisms to prevent injection of malicious code that could alter or monitor the behavior of the application at runtime;
- Implement appropriate application integrity check (e.g. using checksum and digital signature) to verify the authenticity and integrity of the application and code obfuscation techniques to prevent reverse engineering of the mobile application;
- Implement certificate or public key pinning to protect against MITMA;
- Implement a secure in-app keypad to mitigate against malware that captures keystrokes; and
- Implement device binding to protect the software token from being cloned.
How Banks Can Easily Comply with the TRM Guidelines for Mobile Application Security
There are several ways banks in can comply with the TRM Guidelines for Mobile Application Security. One way is to depend on their mobile developers to code the necessary security to implement the above-mentioned security measures. Another way is to add (multiple) SDK-based security solutions. Both options require manual work and neither option comes with a guaranteed outcome. The alternative is for banks, FinTech challengers, eWallets and apps that feature financial transaction capabilities to use Appdome to implement all 7 measures instantly, without code or coding.
Appdome is a no-code mobile app security platform designed to add security features in mobile apps. Appdome works with any Android and iOS app, built in any framework. Using Appdome, there are no development or coding prerequisites to build secured apps. Appdome does not require access to source code. And there is no SDK and no library to manually code or implement in the app.
Measure 1 – Data Encryption
The TRM guideline advises against storing or caching data in the mobile application to mitigate the risk of data compromise on the device. Data should be stored in a protected and trusted area of the mobile device.
Appdome’s TOTALData Encryption encrypts all mobile app data using AES-256 bit encryption. This includes data stored in the application sandbox, as well as data stored in the application’s code, specifically in the app preferences, strings, resources and in-app secrets, strings.xml value, and java class .dex files.
Measure 2 – Secure Encryption Keys
The TRM guideline recommends the full protection of private cryptographic keys.
Appdome’s TOTALData Encryption dynamically generates symmetric encryption keys at runtime. Each symmetric key is generated by Appdome using industry-standard AES mechanisms. The keys are never stored on the mobile device.
Measure 3 – Application Shielding
The TRM guideline advocates the implementation of anti-hooking or anti-tampering mechanisms to prevent injection of malicious code that could alter or monitor the behavior of the application at runtime.
Appdome’s ONEShield RASP solution adds anti-debugging, anti-tampering, anti-reversing, checksum validation and other protections which prevent hooking, code injection, reverse engineering, dynamic and static analysis, and any unauthorized alterations to the app at runtime or otherwise. In addition, Appdome also can block specific dynamic instrumentation tools like FRIDA and its derivative frameworks.
Measure 4 – Ensure Appropriate Application Integrity
The TRM guideline advises the full implementation of appropriate application integrity checks (e.g. using checksum and digital signature) to verify the authenticity and integrity of the application and code obfuscation techniques to prevent reverse engineering of the mobile application.
Appdome’s ONEShield and TOTALCode Obfuscation solutions include checksum validation, app integrity and structure validation and comprehensive code obfuscation (including native binary obfuscation, non-native code obfuscation, control flow obfuscation (app logic obfuscation), and debug info obfuscation.
Measure 5 – Prevent Man-in-the-Middle Attacks
The TRM guideline recommends the full implementation of certificate or public key pinning to protect against Man-in-the-Middle (MitM) attack scenarios.
Appdome’s Secure Communication solution includes secure certificate pinning, as well as certificate validation (to protect against forged or altered certificates), session integrity validation, malicious proxy detection, and various session control enforcement options – all of which protect against MitM attacks.
Measure 6 – Prevent Keyloggers and Overlay Attacks
The TRM guideline suggests implementing a secure in-app keypad to mitigate against malware that captures keystrokes.
Appdome’s Mobile Fraud and Malware Prevention solution detects and blocks keylogger attacks as well as app overlay attacks to stop exfiltration of keystroke information and the harvesting of banking account information.
Measure 7 – Prevent Cloning of Software Tokens
The TRM guideline highlights the need to implement full device binding to protect the software token from being cloned.
Software tokens from Appdome-Secured apps cannot be cloned. Encryption Keys are not stored on the device. Encryption keys are dynamically generated at runtime using AES-256. As such device binding is an unnecessary step to achieve compliance with measure 7.
How to Comply with the TRM Guidelines for Mobile Application Security Using Appdome
Here is a summary overview of how Appdome instantly helps banks and financial institutions comply with the TRM guidelines for mobile app security, without any coding.
Recommendations for CISOs Looking to Comply with the TRM Guidelines for Mobile Application Security.
Appdome makes compliance with TRM guidelines fast and easy. As a bonus, Appdome can also protect your mobile banking apps against the OWASP mobile Top 10 Risks.
Create your account and get started with Appdome today. Or request a demo and our Singapore based team will reach out to you and show you how easy it is to comply with the TRM guidelines for mobile application security.