In line with international standards and best practices, the State Bank of Pakistan (SBP) has developed comprehensive Mobile App Security Guidelines providing baseline security requirements for App owners in order to ensure confidentiality and integrity of customer data and availability of app services in a secure manner, when developing payment applications for mobile or other smart devices.
App owners shall use these guidelines for the architecture, design, development, and deployment of mobile payment apps and the associated environment that consumers use for digital financial services.
The requirements of these guidelines shall be applicable to all Financial Institutions, authorized Payment Systems Operators/Payment Service Providers (PSOs/PSPs), Electronic Money Institutions (EMI), and any other SBP regulated/licensed/authorized institutions (hereinafter collectively referred to as ‘App owners’) which are developing, procuring, operating, facilitating, or providing digital financial services through mobile apps to end-users.
The requirements of these guidelines shall cover the entire mobile app ecosystem involved in capturing, storing, processing, and transmitting financial/non-financial information, which includes but is not limited to mobile apps, web services, server-side databases, storage, and network communications, etc.
General Requirements
App owners shall develop a policy governing mobile apps’ business objectives, standards, compliance, guidelines, controls, responsibilities, and liabilities. App owners may formulate this policy separately or include the same as part of their overall digital channels development policy. As a principle, the policy shall achieve a balance between the security of apps, convenience, and performance. The policy shall at least be revised annually and/or when a significant change is made in the environment.
Mobile App Security Requirements
App owners shall develop a standard architecture based on prescribed set of security principles, rules, techniques, processes, and patterns to design a secure mobile application.
The entire development of the mobile app shall revolve around the architecture principles, which can be updated based on the learnings during the course of development of application layers (or equivalent) and operational usage and consumer feedback.
App owners shall ensure that the mobile payment app architecture is robust and scalable, commensurate with the transaction volumes and customer growth. For this purpose, a robust capacity management plan shall be put in place to meet evolving demand.
Protection of Sensitive Payment Data and Personal Data
App owners shall ensure that sensitive information is not stored in a shared store segment with other apps on mobile devices. It is recommended to utilize only the device’s internal storage, which is virtually sandboxed per app or preferably in a container app without meddling with other applications or security settings of the mobile devices.
App owners shall ensure that confidential data is deleted from caches and memory after it is used and/or uninstalled. Further, app owners shall ensure that mobile apps erase/expire all application-specific sensitive data stored in all temporary and permanent memories of the device during logoff or on unexpected termination of app instance.
Customer credentials and transactional data shall be encrypted while in transit and at rest using strong, internationally accepted, and published standards for key length, algorithms, cipher suites, digital certificates and applicable protocols that are not deprecated/ demonstrated to be insecure/ vulnerable.
Encryption keys shall only be stored with appropriate robust security controls and shall remain in a non-exportable form in a highly secure and standard key store. It may be bound to the secure hardware (e.g. Trusted Execution Environment, Secure Element for Android, or its equivalent on any other platform). Further, Key Use Authorization shall be implemented, which should not be changed after the generation of keys.
Application Programming Interface (APIs)
In order to establish adequate safeguards to manage the development and provision of APIs for secure delivery of third party provided services through mobile apps, App owners shall establish security standards for designing and developing secure APIs including measures to protect the API keys or access tokens, which are used to authorize access to APIs to exchange confidential data.
App owners shall define and enforce a reasonable timeframe for access token expiry to reduce the risk of unauthorized access.
The app owners shall have the ability to log the access sessions by the third party (ies), such as the identity of the third party making the API connections, and the data being accessed by them. App owners shall ensure to perform a robust security screening and testing of the API between the app owners and third parties before going live.
Monitoring, Logs, and Data Leakage
App owners shall ensure that the app usage behavior is maintained and monitored through an automated mechanism and deploy tools to identify any anomaly in the usage and behavior. The mechanism shall integrate with the complete process of customer support for verification to clear the anomaly for consumer protection.
App owners shall ensure that mobile app logs do not contain any sensitive data and where essentially required should be masked such that it no longer remains directly constructible in its complete form by collating components.
App owners shall implement appropriate security safeguards to protect the logs from unauthorized modification or destruction.
App owners shall ensure that all mobile payments servers and the ecosystem logs are available for audits. App owners shall implement appropriate control to protect transactional data/information against any loss or damage. Server access controls and audit logs shall be maintained at the server level as per data retention policy or as may be determined by SBP.
Error and Exception Handling
Mobile apps shall have a proper error-handling mechanism and all errors shall be logged in the server.
Sensitive information and/or hints shall not be disclosed in error/warning messages and notifications.
App owners shall ensure notifying users about the update and enforce it within a grace period depending upon the criticality of fixes. The information about fixes shall be published in in-app release notes.
It is pertinent to mention here that mobile payment applications (mobile apps) have become an alternate payment channel for a growing number of users. SBP-regulated entities have been offering innovative products and services through mobile applications. Consequently, opportunities for the fraudsters to exploit vulnerabilities in mobile apps and defraud the customers have also increased manifold.
App owners shall ensure that their mobile apps and associated infrastructure are compliant with the requirements of these guidelines latest by December 31, 2022.
