29 October 2024

On 15 October 2024, the Cybersecurity Security Agency (“CSA”) published the “Safe App Standard 2.0” (“SAS 2.0”) to strengthen the overall security posture of mobile applications (“mobile apps”) deployed in Singapore, and better safeguard app transactions and user data. 

SAS 2.0 is an updated version of the first Safe App Standard (“first SAS”) published in January 2024 and continues to focus on high-risk apps with transactions that could result in significant financial losses. For more on the first SAS, please read our article “CSA issues Safe App Standard to provide guidance on enhancing security of mobile applications”. 

SAS 2.0 introduces the following four new key areas to provide app developers and owners with comprehensive guidelines to fortify the security of their mobile app: 

  • Network communication: To protect data communicated between the app and servers from electronic eavesdropping or alteration by encrypting it with secure protocols and making sure data is sent only to trusted servers. 
  • Cryptography: To provide an additional layer of protection to ensure the confidentiality and integrity of data by using strong cryptographic algorithms in encryption and digital signatures, and by securely managing cryptographic keys to minimise the risk of compromise. 
  • Code quality and exploit mitigation: To detect and mitigate software vulnerabilities and common coding bugs. 
  • Platform interactions: To ensure that developers implement security measures for operating system features such as keyboards and in-app links which lead to webpages. 

These are additions to the following four key areas covered previously in the first SAS: 

  • Authentication: To validate user identity and ensure legitimate access, by employing multiple authentication factors, such as biometrics and cryptographic tokens, and securing user sessions. 
  • Authorisation: To validate access rights to app resources and device functions by securely implementing permissions on both server- and client-sides, whilst maintaining user transparency. 
  • Data storage: To safeguard sensitive data in app servers and user devices against data theft by storing only necessary data, encrypting them, and deleting the data when no longer needed. 
  • Anti-tampering and anti-reversing: To prevent modifications to and the compromise of the app by ensuring they run only on secure platforms and attempts at tampering of the source code and runtime environments can be detected. 

CSA strongly encourages developers of apps that are both developed and hosted in Singapore to adopt SAS 2.0 in their app development.

Reference materials 

The following materials are available on the CSA website www.csa.gov.sg: