Companies likely to incur significant costs to meet cyber agency’s standard for mobile app safety

Cybersecurity experts warned the costs incurred by companies to make their mobile applications safe could pile up, as malware and other malicious threats become more sophisticated.

This comes after the Cyber Security Agency of Singapore on Wednesday (Jan 10) published a recommended standard for mobile apps, particularly for those that perform high-risk transactions, such as banking and e-commerce apps.

Developers are encouraged to adopt the new standard to protect their apps from common malware and phishing attacks.

Appdome mobile app security product lead Jan Sysmans said that the standard represents “positive progression” in the nation’s efforts to develop a holistic cybersecurity strategy for mobile applications.

The standard recommended by the CSA references some of the requirements established by the Open Worldwide Application Security Project. However, Sysmans noted that a 2022 study by penetration testing company eShard found that most apps do not meet these security requirements.

“These organisations will find it more demanding on their time and resources to implement the standard across their mobile apps,” he said.

Furthermore, Sysmans said that there may be an inherent conflict of interest between app developers and security teams.

“While development teams focus on enhancing the app’s customer experience, security considerations may be sidelined,” he said, adding that he has seen instances of apps being released without the latest security measures to meet deadlines.

Jeffrey Kok, vice-president of solution engineers for Asia Pacific and Japan at cybersecurity provider Cyberark, said that the cost of implementing the standard will depend on how many security controls a company’s app already has.

“If an app has implemented very few security controls, the cost to implement the standard will be rather significant,” he said.

He added that the most challenging security controls within the standard are those that prevent bad actors from tampering and reverse-engineering apps.

“These measures are intricate, and involve relatively new concepts which require ongoing effort to maintain,” Kok said.

Still, IDC Asia Pacific research vice-president Simon Piff does not anticipate a significant increase in costs for any organisation that has mature DevOps. This refers to practices that enable software developers and operations teams to improve their software development capabilities.

“This may not be the case for organisations that have outsourced their app development as they may not have agreed to any form of updating.

“At the same time, third parties that have developed apps now have a market opportunity to address any older apps that they have not ‘maintained’ recently, so it’s potentially a market opportunity more than a cost to business,” he said.

Malware scams became more prevalent in 2023, with over 1,400 victims losing at least S$20.6 million between January and August, according to police data.

In August 2023, OCBC was the first among the trio of local banks to introduce measures to prevent its mobile app from working when it detects malicious apps on the same device. Other banks have since introduced similar features with their mobile apps.

In a parliamentary speech on Wednesday, Minister for Communications and Information Josephine Teo said that the ministry will assess the standard’s usefulness before deciding if it should be made mandatory.

Still, it could make financial sense for companies to update their apps to meet the standard before it is made mandatory.

Software company Manageengine president Rajesh Ganesan said that companies will need to weigh considerations – such as workflow disruptions, the need for employee training and adjustments to existing processes – against the risk of a potential breach.

“The implementation of the standard becomes a strategic investment that yields cost savings by proactively preventing security incidents that would otherwise lead to significant financial losses over the long term,” he said.

Cyberark’s Kok noted that cybercriminals tend to go after the “easiest and slowest prey”.

“If others in the industry are already further ahead, then you will be the most attractive target,” he said. “The faster organisations can catch up by implementing the standard, the safer they will be.”

In response to queries from The Business Times, a UOB spokesperson said that the bank welcomes the new standard, and that it continues to work closely with the regulator, law enforcement agencies and the industry to fight scams.

The spokesperson added that the bank has implemented multiple security controls for digital banking, such as sending SMS notifications when new payees are added. “Customers should be aware that scam methods are constantly changing and evolving, and these anti-scam measures are not foolproof.”

Customers should stay vigilant, the spokesperson added.

Source: Business Times © SPH Media Limited. Permission required for reproduction.

Passport-free immigration clearance being explored under Johor-S’pore Special Economic Zone ADV: [webinar] Indonesia Personal Data Protection Law – One Year On (21 Feb 2024, 1 Public CPD Point)