![Page 1: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/1.jpg)
App Security Framework
Rehan MasoodState Bank of Pakistan
4-5 December 2019#financialinclusion
![Page 2: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/2.jpg)
Country Landscape
High cell-phone penetration• Mobile density stands at 77%; more than 162
million NADRA* verified cell phone connections
High internet usage• More than 71 million mobile 3G/4G/LTE users
60% population under the age of 45 years
Adopted National Financial Inclusion Strategy in 2015
National Payment System Strategy in Nov 2019
DFS Potential**
7% boost to GDP by 2025
4 million new jobs
US$ 263 Billion new deposits
*National Database & Registration Authority**MCKINSEY GLOBAL REPORT, “DIGITAL FINANCE FOR ALL: POWERING INCLUSIVE GROWTH IN EMERGING
ECONOMIES” SEP 16
![Page 3: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/3.jpg)
DFS Market• Branchless Banking 11 licensed providers
38 million BB accounts
420,000 BB Agents
21 million USSD users; 7 million app users
• Conventional Banking 23 Bank Apps
6 million users
• EMIs Regulations aimed at removing entry barriers
for non-banking companies
Issue e-money for payment services
Branchless Banking
Conventional Banks
EMIs
![Page 4: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/4.jpg)
DFS Stakeholders
• Users
• Mobile Network Operators (MNOs)
• DFS Providers
• Retail Agents
• Banking Regulators
• Telecom Regulators
• Identity Verification Services
• Third Party Service Providers
![Page 5: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/5.jpg)
Digital ID stack
Biometric Digital ID
SIM (re)issuance
Account Opening
ADC Activation
OTC Fund Transfers
![Page 6: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/6.jpg)
App Security FrameworkScope• Applicable to all banks, branchless banking providers, EMIs, PSPs
• Addresses mobile applications for smart devices
• Covers mobile app ecosystem processes involved in:• capturing, storing, processing and transmitting financial/non-financial
information
• Includes people, processes, infrastructure including: • mobile apps, web services, server-side databases, storage and network
communications etc.
![Page 7: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/7.jpg)
Intended Outcomes
Strengthen Internal Control Environment in
Regulated Entities
Secure Regulated Entities'
Arrangements with Third
Parties
Increase Customers Awareness
Adopt Global Industry
Standards
![Page 8: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/8.jpg)
Applicability
• App owners shall use this framework for:• Architecture
• Design
• Development and
• Deployment
• App owners shall ensure that the requirements in this framework are used by architects, developers, testers, security professionals, and consumers to define and understand the qualities of a secure mobile app.
![Page 9: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/9.jpg)
Major Vulnerabilities
Weak Server-side controls
Insecure Data Storage
Insufficient Transport
Layer Protection
Unintended Data Leakage
Weak Authorization/Authentication
Poor Session Handling
![Page 10: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/10.jpg)
Security Dimensions
AccessControl
Authentication
CIA
Non-repudiation
Communication Security
![Page 11: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/11.jpg)
References
International Telecommunication Union (ITU) ITU-T Focus Group Digital Financial Services: Security Aspects of Digital Financial Services
(DFS)
X.805 : Security architecture for systems providing end-to-end communications
OWASP Mobile Application Security Project
National Information Assurance Partnership Protection Profile for Application Software
![Page 12: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/12.jpg)
Mobile App Security Requirements
Authentication &
Authorization
Protection of Sensitive Data
Network Security
Secure Coding
Input/output Handling
Tampering Detection
Tampering Detection
Logs and Data Leakage
![Page 13: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/13.jpg)
Authentication and Authorization
Device binding and account tagging
Biometric-based activation
Separate login authentication and transaction
authorization
Multifactor authentication
Strong, configurable access
codes (PIN/Password, bio)
Strict minimum validity of OTPs
Idle session termination
![Page 14: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/14.jpg)
Protection of Sensitive Data
PCI-DSS
Sensitive information not to be stored on mobile devices
Use of industry standard cryptography
Encryption of sensitive data in-transit and at rest
Sensitive data shall not be transmitted through vulnerable channels
![Page 15: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/15.jpg)
Network Security
Transport layer encryption for all communications between the mobile app and servers.
Inbuilt controls to mitigate bypassing of certificate pinning
Certification errors shall not be ignored
Use of valid certificates issued by a trusted certificate authority
![Page 16: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/16.jpg)
Session Management
Automatic user-logoff functionality after a configurable idle time-period
Easy to use and clearly visible logoff method
Disable access to mobile app server from devices which are reported lost or stolen.
Procedure for customers to report lost or stolen devices
Detect multiple simultaneous login attempts and communicate it to the users
![Page 17: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/17.jpg)
Tampering Detection
Checks on server-side to verify mobile app integrity and to detect any manipulation.
Installation of mobile apps not allowed on rooted/jail broken devices.
Debugger/emulator detections in place
![Page 18: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/18.jpg)
Secure Coding
Adhere to industry accepted secure coding practices and standards
Avoid vulnerable/deprecated components, protocols, libraries, scripts etc
Code signing shall be used for mobile apps
![Page 19: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/19.jpg)
Input and Output Handling
Data to be sanitized and validated
Auto-complete feature shall be disabled for sensitive information
Clipboard/ copy-paste function shall be disabled for sensitive data
![Page 20: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/20.jpg)
Logs and Data Leakage
Mobile app logs shall not contain any sensitive data
Log server shall be segregated from application servers
Protect the logs from unauthorized modification or destruction
Audit logs shall be maintained at the server level
Retain logs for a period of 05 years at a minimum
![Page 21: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/21.jpg)
App Hosting
Mobile apps shall be hosted only at the relevant platform store such as Google Play Store, App Store
Shall not be hosted at app owner’s website or the vendor website or any other third-party website
Ensure that all users are informed that its mobile app is not hosted on third party stores
![Page 22: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/22.jpg)
How to assess compliance?
Mandatory pen-tests of the mobile apps
Periodic vulnerability
scans
??
![Page 23: App Security Framework€¦ · •mobile apps, web services, server-side databases, storage and network communications etc. Intended Outcomes Strengthen Internal Control Environment](https://reader035.vdocuments.us/reader035/viewer/2022071215/6045cb5b50f0bb43cd14361c/html5/thumbnails/23.jpg)
Thank you