30 January 2024

On 10 January 2024, the Cyber Security Agency of Singapore (“CSA”) published the Safe App Standard (“SAS”). Developers of applications (“apps”) created and hosted in Singapore are encouraged to adopt CSA’s recommended SAS in their app development.

Developed by CSA in consultation with industry partners from financial institutions, tech organisations, consultancy firms, and government agencies, the SAS is a recommended standard for mobile apps, providing a baseline of security controls for mobile app developers and providers to follow.

The recommendations and suggestions set out in the SAS aim to assist developers in mitigating against a broad spectrum of cybersecurity threats and protect their apps from the latest mobile scams and mobile malware exploits. With increasingly prevalent mobile app usage, many users could be exposed to potential risks such as monetary loss and unauthorised access to their confidential data. The SAS is targeted at apps that perform high-risk transactions, defined as those that allow transactions with some or full access to users’ financial accounts which, when compromised, can possibly result in significant monetary losses. Such transactions include changes to financial functions such as registration of third-party payee details and increase of fund transfer limit.

Currently, the SAS focuses on four critical areas commonly targeted by threat actors: authentication, authorisation, data storage (data-at-rest), and anti-tampering and anti-reversing. The SAS will be updated in view of the evolving risk landscape. Future iterations will see the SAS expand to address security best practices and guidelines for the entire mobile app stack.

Reference materials

The following materials are available on the CSA website www.csa.gov.sg:

There is a dedicated webpage on the SAS within the CSA website.