CSA Safe Standard App User Guide

O le CSA's Safe App Standard o se seti o taʻiala ma sili ona lelei
faiga mo le faʻatinoina o faʻamaoniga faʻamaonia faʻamaonia i totonu
talosaga feavea'i. E fa'amoemoe e fa'amautinoa le fa'amaoni fa'amaonia
masini ma puipuia fa'amatalaga ma'ale'ale mai le avanoa e le fa'atagaina. O le
fa'ata'atia e fausia i feutaga'iga ma fa'alapotopotoga eseese
ma tagata atamamai i le tulaga o le cybersecurity.

Fa'amoemoega, Va'aiga, ma Tagata Fa'amoemoe

O le fa'amoemoe o le Safe App Standard a le CSA o le tu'uina atu lea
tagata atiae ma fautuaga ma faiga sili mo le faʻatinoina
fa'amautu fa'amaumauga fa'amaonia i totonu o talosaga feavea'i. O le tulaga
e fa'atatau i tagata atia'e ma fa'alapotopotoga o lo'o a'afia i le
atinae o talosaga feaveai e manaomia le faamaoniga. E
ua mamanuina e faʻaleleia ai le saogalemu lautele o le faʻamaoniga
fa'agaioiina ma puipuia le tagata fa'apitoa.

Fa'asilasilaga ma le Fa'atonu Fa'atonu

O le CSA's Safe App Standard o lo'o tu'uina atu ta'iala i tagata atia'e ile
fa'atinoina fa'atonuga fa'amautu fa'atonuga. E faamamafaina ai le
taua o le mulimulita'i i faiga aupito sili ona lelei ma fa'amautinoa le
saogalemu le fa'atinoina o faiga fa'amaonia. Atina'e
e tatau ona fa'asino ile fa'atonuga mo ta'iala auiliili ile fa'atinoga
o fa'atonuga fa'atonuga mo le puipuiga.

Fa'amatalaga Fa'amaumauga ma Fa'asinoga Fa'atonu

Ole CSA's Safe App Standard e aofia ai fa'amatalaga pepa ma
fa'asinoga masani e maua ai le fa'amanino o fa'aupuga o lo'o fa'aaogaina
ma fa'asino i isi tulaga ma ta'iala talafeagai tau alamanuia.
E tatau i tagata atia'e ona fa'asino i nei fa'auigaga ma fa'amatalaga mo a
malamalama atili i le tulaga.

Fa'atonuga o le Fa'aaogaina o Mea

Fa'amaoni

O le fa'amaoni o se vaega taua o le tele o telefoni feavea'i
talosaga. E fa'amaonia ai le fa'amatalaga o tagata fa'aoga, tagata fa'atau,
talosaga, ma masini a'o le'i tu'uina atu le avanoa i mea fa'apitoa
punaoa poʻo le faʻatagaina o nisi gaioiga. Le CSA's Safe App Standard
tu'uina atu fautuaga ma faiga sili mo le fa'atinoina o le saogalemu
pulega fa'amaoni.

Pulea Puipuiga

O le CSA's Safe App Standard e aofia ai mea nei
fa'amaoniaga fa'atonuga saogalemu:

ID	Pulea
AUTHN-BP01	O lo'o fa'aogaina e le app le Multi-Factor Authentication (MFA) e fa'amaonia ai fefa'ataua'iga maualuga.
AUTHN-BP02	Fa'amatalaga pulea
AUTHN-BP03	Fa'amatalaga pulea
AUTHN-BP04	Fa'amatalaga pulea
AUTHN-BP05	Fa'amatalaga pulea
AUTHN-BP06	Fa'amatalaga pulea

AUTHN-BP01 – Fa'amaoni Fa'a-Fa'auiga (MFA)

I totonu o se faiga faʻamaonia faʻamaonia e tasi, tagata faʻaoga
e masani lava na'o le mana'omia o le fa'aofiina o se Mea-E te-Iloa (pei o usernames
ma upu faataga). Ae ui i lea, ua fa'aopoopoina e le MFA ni fa'ailoga o fa'amaoniga e iloagofie ai
e ala i le manaʻomia o mea faʻaopoopo e pei o se Mea-Oe-Ia ma
O Se Mea-Oe-E. O le mea lea e sili atu ai ona faigata mo le leaga
tagata e fa'atupu fa'aletonu fa'amatalaga ma fa'asili le saogalemu lautele o
le faagasologa o le faamaoniga.

Fa'atonuga o Fa'atinoga

E tatau i tagata atiaʻe ona faʻatinoina le Step-up MFA, lea e manaʻomia ai se
fa'aopoopo tulaga fa'amaoni mo fefa'atauaiga e sili atu ona lamatia. O le
O le CSA's Safe App Standard e fa'amuamua le MFA lea
tu'ufa'atasiga:

O Se Mea-E te Iloa
O Se Mea-O Ia-Oe

O Se Mea-Oe-E

Fesili e Fai soo (FAQ)

F: O le a le fa'amoemoe o le Safe App Standard a le CSA?

A: O le fa'amoemoe o le Safe App Standard a le CSA o le tu'uina atu lea
tagata atiae ma fautuaga ma faiga sili mo le faʻatinoina
fa'amautu fa'amaumauga fa'amaonia i totonu o talosaga feavea'i.

F: O ai le aofia fa'amoemoe mo le CSA's Safe App
Tulaga?

A: O le CSA's Safe App Standard ua fa'amoemoe mo tagata atia'e ma
fa'alapotopotoga o lo'o a'afia i le atina'eina o talosaga feavea'i
e mana'omia le fa'amaoni.

F: O a ni fa'amanuiaga ole fa'atinoina ole Multi-Factor
Fa'amaoni (MFA)?

A: O le fa'atinoina o le MFA e fa'aopoopoina ai fa'ailoga o fa'amaoniga e iloagofie ai, faia
e sili atu ona lu'itau mo tagata fai amio leaga e fa'afefeteina tala ma
fa'aleleia atili le saogalemu o le fa'agasologa o fa'amaoniga.

View Fullscreen

O le CSA's Safe App Standard Version 1.0 Fa'asalalau Ianuari 10th 2024
2

Fa'atalanoaga ma:
Le Asosi a Faletupe Sigapoa, Komiti Tumau i luga o le Cyber Committee Deloitte Southeast Asia Risk Advisory Ernst & Young Advisory Pte. Ltd. KPMG i Sigapoa Lazada Microsoft Singapore PricewaterhouseCoopers Risk Services Pte. Ltd.
Fa'ailoga:
O nei faʻalapotopotoga na faʻatalanoaina i luga o le Tulaga Faʻatonu mo faʻamatalaga ma faʻamatalaga e uiga i le puipuiga malu, faʻamatalaga o le puipuiga malu, ma taʻiala faʻatino faʻapitoa. I le maualuga maualuga e faatagaina i lalo o le tulafono, CSA, ma faufautua mai fafo e le tatau ona noatia mo soʻo se mea le saʻo, mea sese ma / poʻo ni mea e le o iai i totonu poʻo soʻo se gau poʻo mea faʻaleagaina o soʻo se ituaiga (e aofia ai soʻo se leiloa o tupe mama, pisinisi, agalelei, poʻo le tauleleia. , ma/poʻo soʻo se faʻalavelave faʻapitoa, faʻalavelave, poʻo faʻalavelave faʻaleagaina) e fesoʻotaʻi ma soʻo se faʻaoga poʻo le faʻalagolago i lenei Tulaga. O fa'alapotopotoga o lo'o atia'e polokalama feavea'i, e tu'uina atu auaunaga ma tagata atia'e ua fautuaina e mafaufau pe fa'apefea ona fa'aogaina le Tulaga Fa'atatau i o latou tulaga fa'apitoa e maua ai a latou lava fautuaga fa'aletulafono ma/po'o fa'atekinisi e fa'atatau i mea o lo'o i totonu ma/po'o le fa'atinoga o fautuaga i totonu o le Fa'alapotopotoga Fa'atonu o lo'o atia'e telefoni feavea'i. apps, 'au'aunaga tu'uina atu ma tagata atia'e e tatau ona fa'atino le fa'amasinoga fa'apolofesa pe a fa'atino fautuaga i totonu o le Tulaga Fa'ata'atia, ma e tatau fo'i ona iloilo pe a mana'omia ni faiga fa'aopoopo e fa'atatau i o latou tulaga fa'apitoa.
3

Mataupu
Fa'atalanoaga ma: …………………………………………………………………………………………………………… 3 Fa'ailoa: … ……………………………………………………………………………………………………………. 3 E uiga i le Tulaga Fa'atatau …………………………………………………………………………………………………………… 6 Faamoemoe, Vaaiga, ma Tagata Fa'amoemoeina …………………………………………………………………………………… 6 Faasilasilaga ma le Fa'atonu Fa'atonu …………………… …………………………………………………………………. 7 Fa'amatalaga o Pepa ma Fa'asinoga Fa'atonu …………………………………………………………………………… 8 1. Fa'amaoni ………………………………… ………………………………………………………………… 10
AUTHN-BP01 ……………………………………………………………………………………………………………. 11 AUTHN-BP01a ……………………………………………………………………………………………………………………. 13 AUTHN-BP01b ……………………………………………………………………………………………………………………. 14 AUTHN-BP01c…………………………………………………………………………………………………………………….. 15
AUTHN-BP02 ……………………………………………………………………………………………………………. 16 AUTHN-BP03 ……………………………………………………………………………………………………………………. 17
AUTHN-BP03a ………………………………………………………………………………………………………………. 18 AUTHN-BP03b ……………………………………………………………………………………………………………………. 19 AUTHN-BP04 ……………………………………………………………………………………………………………………. 20 AUTHN-BP05 ……………………………………………………………………………………………………………………. 21 AUTHN-BP06 ……………………………………………………………………………………………………………………. 22 ……………………………………………………………………………………………………………………… …………….. 23 2. Faatagaina …………………………………………………………………………………………………………… ….. 24 TUSI-BP01 ………………………………………………………………………………………………………………… .. 25 TUSI-BP02 ………………………………………………………………………………………………………………………. .26 TUSI-BP03 ………………………………………………………………………………………………….. 27 TUSI-BP04 ……………………………………………………………………………………………………………………….. 28 ……………………………………………………………………………………………………………………… …….. 29 3. Teuina o Faamatalaga (Faamatalaga-I-Malolo) ……………………………………………………………………………………… …. 30 TEU-BP01 ……………………………………………………………………………………………………………. 31 TEUA-BP02 ……………………………………………………………………………………………………………. 32 TEU-BP02a ……………………………………………………………………………………………………………. 33 TEU-BP02b …………………………………………………………………………………………………. 34 TEU-BP03 ……………………………………………………………………………………………………………. 35 ……………………………………………………………………………………………………………………… ……….. 36 4. Aneti-Tampfa'apea & Anti-Suiga ………………………………………………………………………………………..37 RESILI-BP01 ………………… ………………………………………………………………………………………. 38 OLA-BP02 ……………………………………………………………………………………………………………. 39
4

RESILI-BP03 ……………………………………………………………………………………………………………. 41 OLA-BP04 …………………………………………………………………………………………………………. 42 OLA-BP05 ……………………………………………………………………………………………………………. 43 OLA-BP06 …………………………………………………………………………………………………………. 44 MAFELEI-BP07 ……………………………………………………………………………………………………………. 45 Fa'amatalaga…………………………………………………………………………………………………………………… 46
5

E uiga i le Tulaga
Folasaga O le Safe App Standard o se tulaga fautuaina mo talosaga feaveaʻi (apps), na atiaʻe e le Cyber Security Agency of Singapore (CSA), i feutagaiga ma paaga faʻapisinisi mai faʻalapotopotoga tau tupe, faʻalapotopotoga tekonolosi, kamupani faufautua ma lala sooupu a le malo. Ua umaview O le fa'amoemoega o le Tulaga Fa'ata'atia o le tu'uina atu lea i luma o se fa'atonuga fa'atonuga o fa'atonuga mo le puipuiga mo le au atina'e telefoni feavea'i ma kamupani e tu'uina atu e mulimuli ai. Ole mea lea ole a fa'amautinoa ai ole fa'apipi'i uma polokalame fa'apitonu'u i se seti tutusa o fa'atonuga mo le saogalemu mo polokalama feavea'i, ma fa'atupuina ai le tulaga saogalemu o polokalama fa'afeiloa'i ma faia i Sigapoa.
Fa'amoemoega, Va'aiga, ma Tagata Fa'amoemoe
O lenei pepa na fausia e tuʻuina atu fautuaga ma fautuaga i tagata atiaʻe e fesoasoani ia i latou i le faʻatinoina o galuega tau puipuiga i totonu o latou polokalama. O ia fautuaga ma fautuaga o loʻo faʻatatau i le fesoasoani i tagata atiaʻe i le faʻaitiitia o le lautele o faʻamataʻu i luga o le cybersecurity ma i le puipuia o a latou polokalama mai faʻataʻitaʻiga fou feaveaʻi ma faʻaoga leaga feaveaʻi. O mea o loʻo i totonu e le faʻamaonia, tuʻuina atu i luga o se tulaga e le faʻalagolago ma faʻamoemoe e faʻamalamalamaina i le natura, ma e le o faʻamoemoe e faʻamaonia atoatoa le ono lamatia o le cybersecurity poʻo le faʻamaoti atoatoa o faiga poʻo faiga e tatau ona faʻatulagaina e le au atinaʻe e faʻatalanoa pe puipuia ai taufaamata'u. Fa'aliliuga 1 o ta'iala a le Safe App Standard ma fa'atonuga o le puipuiga o le a fa'amuamua i le tu'uina atu o ta'iala mo le puipuiga i tagata atia'e o polokalame e maualuga le lamatiaga e fa'afetauia ai fa'alavelave fa'akomepiuta feavea'i fou ma faiga fa'akomepiuta o lo'o va'aia i le laufanua fa'amata'u a Sigapoa. Ae ui i lea, o nei puipuiga malu e mafai foi ona manuia ma faʻatinoina e isi polokalama. E fautuaina e taumafai tagata atiae uma e faatino nei faiga mo le faaleleia atili o le saogalemu o polokalama feaveai. E ui lava o lenei Tulaga o loʻo i ai se vaega autu e taulaʻi i ai, o le a faʻalauteleina le faʻasologa i le lumanaʻi e faʻatatau i faiga sili ona saogalemu ma taʻiala mo le faʻapipiʻi atoa o le telefoni feaveaʻi.
6

Fa'asilasilaga ma le Fa'atonu Fa'atonu
Ose pepa ola lea o le a toe fa'afo'iview ma toe iloiloga i lea taimi ma lea taimi. E pei o le tele o isi tulaga fa'amautu, o le Safe App Standard o se pepa ola lea o le a fa'afouina e le aunoa e fetaui ma le fa'alavelave fa'amata'u o lo'o i ai nei ma fa'alavelave fa'alavelave fou. Fa'amolemole tagai ile CSA's web'upega tafa'ilagi e tumau fa'afou i le lomiga aupito lata mai o le Safe App Standard ma fetuutuuna'i faiga saogalemu ma fa'atonuga e tusa ai. O lenei Tulaga e tatau ona faitau faʻatasi ma ma e le suitulaga, fesuiaʻi, pe suitulaga i soʻo se tulafono, faʻatonutonu, poʻo isi noataga ma tiute o le au atiaʻe ma tuʻuina atu polokalama, e aofia ai i lalo o le Cybersecurity Act 2018, ma soʻo se lala tulafono, tulafono faʻatino, tulaga fa'atino, po'o fa'atonuga tusitusia o lo'o tu'uina atu i lalo. O le fa'aogaina o lenei pepa ma le fa'atinoina o fautuaga o lo'o i totonu e le fa'asa'olotoina pe fa'ato'ato'a fa'ate'a'eseina ai le tagata e fa'atūina le app ma le tu'uina atu mai so'o sea noataga po'o tiute. O mea o lo'o i totonu o lenei pepa e le'o fa'amoemoe e avea ma fa'amatalaga fa'atulafonoina o le tulafono po'o se suitulaga mo fautuaga fa'aletulafono po'o isi fautuaga fa'apolofesa. Ta'iala a le atia'e ile Safe App Standard framework mo le fa'aogagofie, e tatau i tagata atia'e ona maitauina o le Fa'aliliuga 1 o le Safe App Standard e fa'atatau i vaega taua nei, ma o le pepa lava ia e mafai ona vaevaeina i vaega nei:
· Faʻamaoniga · Faʻatagaina · Teuina o Faʻamatalaga (Faʻamaumauga-i-Malōlō) · Anti-Tamper & Anti-Reversing O nei vaega taua o loʻo aofia ai e faʻamautinoa ai le faʻamautuina o le saogalemu o le telefoni feaveaʻi e faasaga i faʻalavelave faʻafuaseʻi osofaʻiga e faʻaaogaina e tagata leaga i totonu o lo tatou siosiomaga faʻanatura. O le Safe App Standard o loʻo tuʻuina atu ai se seti manino ma manino o le puipuiga malu, taʻiala, ma faiga sili ona lelei mo le faʻaleleia o le saogalemu o polokalama feaveaʻi e tuʻuina atu pe mafai ai fefaʻatauaiga maualuga.
7

Fa'amatalaga Fa'amaumauga ma Fa'asinoga Fa'atonu
Fa'amatalaga o Pepa O nisi nei o fa'amatalaga e tatau ona manatua e le au atina'e ma le aufaitau a'o latou fa'aogaina lenei pepa: Fa'amatalaga ma'ale'ale Fa'amatalaga a tagata fa'aoga e pei o Fa'amatalaga Fa'ailoa a le Tagata Lava Ia (PII) ma fa'amaumauga fa'amaonia e pei o fa'amaumauga, ki fa'ailoga, upu fa'aulu e tasi, fa'amatalaga biometric. , fa'ailoga saogalemu, tusi pasi, ma isi. Fefa'ataua'iga maualuga-tulaga o mea ia e aofia ai:
· Suiga i galuega tau tupe nisi exampe aofia ai ae le gata i le resitalaina o faʻamatalaga a le tagata totogi lona tolu, faʻaopoopoga o le faʻaputuina o tupe, ma isi.
· Amataina o fefaʻatauaiga tau tupe nisi faʻataʻitaʻigaampe aofia ai ae e le gata i fefaʻatauaiga o tupe maualuga, faʻafeiloaʻiga o tupe maualuga, fefaʻatauaiga i luga ole laiga, faʻaoga tuusaʻo, galuega e teu ai tupe, ma luga o luga, ma isi.
· Suiga i le fa'atonuga o le puipuiga o le talosaga nisi exampO nei mea e aofia ai ae le gata i le faʻagataina o metotia faʻamaonia, faʻafouina o faʻailoga numera poʻo faʻamaoniga, ma isi.
Fa'atonuga Puipuiga Fa'agaioiga po'o fa'ainisinia o lo'o fautuaina i totonu o lenei pepa e tatau ona fa'atinoina e pulea, mata'ituina, ma fa'aitiitia ai fa'afitauli tau le saogalemu po'o fa'alavelave. O nei puipuiga malu o lo'o i ai ID nei e fa'apipi'i iai, fa'ata'ita'iga, AUTHN-BP01, AUTHOR-BP01, STORAGE-BP01, RESILIENCE-BP01. Normative References O le Safe App Standard o loʻo faʻasino i tulaga faʻapisinisi mai le Open Web Poloketi Puipuiga o Talosaga (OWASP), le European Union Agency for Network and Information Security (ENISA) ma le Payment Card Industry Data Security Standard (PCI DSS). O le lisi o faʻamatalaga e faʻapea:
· OWASP's MASVS (Mobile Application Security Verification Standard) · OWASP's MASTG (Mobile Application Security Testing Guide) · ENISA's Secure Development Guidelines (SSDG) · PCI DSS' Mobile Payment Acceptance Security Guidelines for Developers
8

1. Fa'amaoni

Folasaga
O le fa'amaoni o se vaega taua o le tele o talosaga feavea'i. O nei tusi talosaga e masani ona fa'aaogaina ituaiga eseese o fa'amaoniga, e aofia ai biometrics, PINs, po'o le tele-factor authentication code generators. O le fa'amautinoaina o le faiga fa'amaonia o lo'o fa'amautu ma fa'atinoina i le mulimulita'i i faiga aupito sili ona lelei a alamanuia e taua tele e fa'amaonia ai le fa'asinomaga o tagata.
E ala i le faʻatinoina o faʻatonuga saogalemu mo le faʻamaoni, e mafai e le au atinaʻe ona faʻamautinoa e naʻo tagata faʻamaonia, tagata faʻatau, talosaga ma masini e mafai ona faʻaogaina punaoa faʻapitoa pe faia ni gaioiga patino. E ala i faʻatonuga faʻamaonia faʻamaonia, e mafai foi e le au atinaʻe ona faʻaitiitia le lamatiaga o le mauaina o faʻamatalaga e leʻi faʻatagaina, faʻamautinoa le faʻamaoni o faʻamatalaga maʻaleʻale, faʻamautu le tagata faʻapitoa ma puipuia le faʻamaoni o galuega faʻatauga maualuga.
O fa'atonuga i totonu o lenei vaega e fa'amoemoe e fautuaina le fa'amaoniaina o le puipuiga malu e tatau ona fa'atino e le talosaga e puipui ai fa'amatalaga ma'ale'ale ma puipuia le avanoa e le'i fa'atagaina. E tu'uina atu ai fo'i i le au atina'e faiga sili ona talafeagai e fa'atino ai nei fa'atonuga saogalemu.
puipuiga malu

Pulea

AUTHN-BP01 AUTHN-BP01a AUTHN-BP01b AUTHN-BP01c AUTHN-BP02 AUTHN-BP03 AUTHN-BP03a AUTHN-BP03b AUTHN-BP04 AUTHN-BP05 AUTHN-BP06

Fa'aaoga le Fa'amaoniga Fa'a-Fa'auiga e fa'amaonia ai fefa'atauaiga maualuga. Fa'atino se mea-E te-Iloa fa'amaoni e avea o se tasi o mea taua a le MFA. Fa'atino se mea-Oe-E i ai le fa'amaoni e avea o se tasi o mea taua a le MFA. Fa'atino se mea-Oe-O le fa'amaoni e avea o se tasi o mea taua a le MFA. Fa'aoga mea fa'avae e fa'amaonia ai. Fa'atino le fa'amaoniaina o sauniga saogalemu. Fa'atino le fa'amaoniaga fa'amaonia. Fa'atino fa'amautu fa'amaonia e leai ni fa'ailoga. Fa'atino le fa'amutaina o le sauniga i le taimi e sau ai, le toaga, po'o le tapunia o talosaga. Fa'atino puipuiga malosi mo le fa'amaoni. Fa'atino faiga fa'amaonia le sa'o o fefa'atauaiga.

AUTHN-BP01
Pulea
O lo'o fa'aogaina e le app le Multi-Factor Authentication (MFA) e fa'amaonia ai fefa'atauaiga maualuga.
Fa'amatalaga
I totonu o se faiga fa'amaonia fa'apitoa e tasi, e masani lava ona mana'omia e tagata fa'aoga le tu'uina o se mea-YouKnow1 e pei o igoa fa'aoga ma upu fa'aulu. Ae peita'i, afai e le manuia pe fa'afefeteina lenei mea e tasi, o le fa'agasologa atoa o fa'amaoniga e faigofie ona fa'amata'u.
O le MFA o se faiga fa'amaonia e fa'aopoopoina ai fa'ailoga o fa'amaoniga fa'asinomaga, e mana'omia e le gata o se Mea-E te-Iloa ae fa'apea fo'i se Mea-E te-E2 ma se Mea-Oe-Are3. O le fa'atinoina o le MFA e sili atu ai ona lu'itau i tagata fai amio leaga e fa'afefeteina fa'amatalaga ma fa'aleleia atili le saogalemu o le fa'agasologa o fa'amaoniga.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻaogaina le Step-up MFA. O se ituaiga faʻapitoa o le MFA lea o loʻo faʻapipiʻiina ai e le app se taʻiala faʻamaonia e manaʻomia ai se faʻaopoopoga tulaga faʻamaonia, aemaise lava pe a taumafai fefaʻatauaiga e sili atu le lamatia.
E tatau i tagata atiaʻe ona faʻamuamua tuʻufaʻatasiga MFA o loʻo mulimuli mai i le faasologa o le 1, 2, 3, ma le 4, faʻatasi ai ma le filifiliga 1 o le filifiliga sili ona saogalemu.

Fa'ailoga / Filifiliga Ose mea-E te-Iloa-Se mea-O lo'o ia te oe
· Polokalama faʻailoga · Meafaigaluega faʻailoga · SMS OTP Something-You-Are

1 O se mea-E te-Iloa e faasino i faamatalaga e iloa e le tagata, e pei o le PIN (Personal Identification Numera), upu faataga, po o le mamanu, ma isi. fa'atupuina fa'amaoniga fa'amaonia, lea e ono aofia ai Fa'amatalaga Tasi Taimi (OTPs) fa'atatau ile taimi. Exampo fa'ailoga fa'apea e aofia ai fa'ailoga polokalame, fa'ailoga meafaigaluega, ma SMS OTP. 3 Something-You-Are e faasino i mea e iloagofie ai biometric, lea e faaaogā ai uiga faʻapitoa faʻapitoa o le tagata faʻaoga mo le faʻamaonia, e pei o tamatamai lima, suʻega retina, faʻaalia foliga, poʻo le iloa o leo.
11

Ua fautuaina malosi le au atinaʻe e aua le faʻalagolago i SMS ma imeli OTP o se auala mo le faʻamaoni mo fefaʻatauaiga maualuga. Afai e le mafai, e taua tele le faʻatinoina o se biometric factor poʻo se faʻamaoniga faʻaopoopo faʻatasi ma SMS OTP ma imeli OTP. Mea e matau
· E matua fautuaina le filifilia o vaifofo i fafo pe a mafai. · E tatau i tagata atiaʻe ona faʻamautinoa e le itiiti ifo ma le tasi le vaega MFA e faʻamaonia i le itu o tagata o tausia, ma mea uma
isi fa'amaonia i le itu-server. I tulaga e fa'amaonia ai le fa'amaoni i le itu a le tagata o tausia, aemaise lava mo le Android, fa'amalosia tulafono fa'avae Trusted Execution Environment (TEE). · O lenei puipuiga malu o loʻo faʻasino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
o OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), i. 21.
o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 51, 56. o MAS Technology Risk Management Guidelines (2021), itulau. 34, 50. o ENISA Smartphone Secure Development Guidelines (2016), i. 11.
12

AUTHN-BP01a Pulea O le app o loʻo faʻaaogaina se mea-E te-Iloa faʻamaoni e avea o se tasi o mea MFA. Fa'amatalaga O se mea-E te-Iloa e fai ma sui o se fa'avae autu o le fa'amaoniga fa'asinomaga e aofia ai fa'amatalaga na'o le tagata fa'aoga e iloa, e pei o se PIN (Numera Fa'asinomaga Fa'aletagata), upu fa'amaonia, mamanu, ma isi. se tulaga fa'avae o fa'amaoniga e iloagofie ai e ala i le mana'omia o tagata fa'aoga e tu'uina atu fa'amatalaga tulaga ese e feso'ota'i ma a latou tala. O se mea taua tele i le mataupu faavae o le "O Se Mea-E te-Iloa, O Se Mea-O ia-Oe, ma se Mea-Oe-E," e saofagā ai i se fuafuaga faʻapitoa faʻapipiʻi faʻapipiʻi saogalemu. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'aaoga ta'iala nei i le fa'atupuina o upu fa'amalo ma le malupuipuia:
· Ia mautinoa le umi ole password ole 12 mataitusi pe sili atu. · Fa'aaofia se fa'afefiloi o mataitusi tetele ma mataitusi laiti, numera, ma mataitusi fa'apitoa e fa'atapula'aina
~`! @#$%^&*()_-+=:;,.? E tatau foi i tagata atiaʻe ona iloa ma aloese mai faʻalavelave masani i le fatuina o upu faʻaulu:
· Aloese mai le faaaogaina o upu matematega, fasifuaitau, po o tuufaatasiga. · Taofi mai le fa'aofiina o fa'amatalaga patino. · Aloese mai mataitusi faasolosolo (fa'ata'ita'iga, “123456”) po'o mataitusi fai soo (faataitaiga, “aaaaa”). Mea e tatau ona matauina · E tatau i le au atiaʻe ona faʻamalosia le suiga o faʻamaoniga i luga o aseta faʻalapotopotoga pe afai e leai
Fa'atinoga o le MFA ile fa'aoga pito, fa'ata'ita'iga, suia i tausaga ta'itasi po'o se taimi talafeagai. · O lenei puipuiga malu o loʻo faʻasino i isi tulaga. Fa'amolemole va'ai i pepa (s)
saunia ile: o MAS Technology Risk Management Guidelines (2021), pg. 34. o ENISA Smartphone Secure Development Guidelines (2016), i. 10.
13

AUTHN-BP01b Pulea O le app o loʻo faʻaaogaina se mea-oe-e iai faʻamaoniga e avea o se tasi o mea taua a le MFA. Fa'amatalaga Something-You-Have e mana'omia tagata fa'aoga e fa'amaoni i se masini fa'aletino, app, po'o se fa'ailoga e fa'atupuina ai fa'amaoniga fa'amaonia, lea e ono aofia ai Fa'amatalaga Tasi Taimi (OTPs). Exampo fa'ailoga fa'apea e aofia ai fa'ailoga polokalame, fa'ailoga meafaigaluega, ma SMS OTP. Fa'atinoina o se mea e te maua e avea o se tasi o mea a le MFA e fa'aopoopoina ai le lavelave i le fa'agasologa o le fa'amaoni e ala i le mana'omia o le umiaina o se elemene fa'apitoa, e matua fa'aitiitia ai le avanoa e le fa'atagaina. O se mea taua tele i le mataupu faavae o le "O Se Mea-E te-Iloa, Ose mea-O loʻo ia te oe, ma se Mea-Oe-E," e saofagā i se faʻataʻitaʻiga mataalia ma aoga tele-vaega saogalemu. Ta'iala mo le fa'atinoga E tatau ona fa'aogaina e le au atina'e se OTP fa'atatau ile taimi mo fa'ailoga polokalame, fa'ailoga meafaigaluega ma SMS OTP. O taʻiala nei e tatau ona mulimulitaʻia:
· O le OTP e tatau ona aoga mo le sili atu i le 30s. · O se OTP e sese le fa'aofiina pe a uma le 3 taumafaiga e tatau ona fa'aleaogaina, ma le fa'aoga a le tagata fa'aoga.
e tatau ona soloia pe teena. Mea e matau
· O lenei puipuiga malu o loʻo faʻasino i isi tulaga. Fa'amolemole tagai ile (s) fa'amaumauga o lo'o tu'uina atu ile: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 56-57. o MAS Technology Risk Management Guidelines (2021), itulau. 50, 51. o ENISA Smartphone Secure Development Guidelines (2016), i. 10.
14

AUTHN-BP01c
Pulea O le app e faʻaaogaina se mea-oe-Are faʻamaonia e avea o se tasi o mea taua a le MFA.
Fa'amatalaga Something-You-Are e mana'omia tagata fa'aoga e fa'amaoni i fa'amatalaga biometric e pei o tamatamai lima, su'ega retina, po'o le iloa o foliga. Fa'atinoina o se Mea-Oe-Are o se tasi o itu MFA e fa'aopoopoina ai se fa'ailoga fa'amaoni sili ona fa'apitoa ma faigata ona toe fa'atusa. E maua ai se auala e sili atu ona malosi e fa'amaonia ai le fa'asinomaga o tagata fa'aoga nai lo se mea-E te-Iloa ma se mea-oe-E iai mea, fa'aitiitia ai le lamatiaga o le avanoa e le fa'atagaina. O se mea taua tele i le mataupu faavae o le "O Se Mea-E te-Iloa, Ose Mea-O loʻo ia te oe, ma se Mea-Oe," e saofagā i se fuafuaga faʻapipiʻi atoatoa ma aoga mo le saogalemu. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'atino le fa'amaoniga biometric i le server e fa'aaoga ai se fa'ailoga fa'amaonia fa'amaonia e pei o Singpass. Ae peita'i, afai e le mafai, e tatau i tagata atia'e ona fa'atino le fa'amaoniga biometric i le itu o tagata o tausia e ala i le Si'osi'omaga Fa'atuatuaina o le Si'osi'omaga (TEEs) a le masini e pei o le CryptoObject ma le Android Protected Confirmation mo auaunaga Android po'o Keychain mo iOS. Mea e matau
· E tatau i tagata atiaʻe ona faʻatapulaʻa galuega a polokalama i masini e leai ni meafaigaluega Faʻalagolago i le Siosiomaga (TEE) poʻo biometrics. Mo example, masini Android leai TEE e mafai ona iloa e faaaoga ai le "isInsideSecureHardware" Android API.
· E tatau i tagata atia'e ona fa'aleaogaina le fa'amaoni biometric pe a iai ni suiga i le masini biometric, e pei o le lesitalaina o se tamatamai lima fou i luga o le masini. E lagolagoina uma e iOS ma Android platforms le setiina o se app crypto key e muta e tali atu i ia suiga.
· O lenei puipuiga malu o loʻo faʻasino i isi tulaga. Fa'amolemole tagai ile (s) fa'amaumauga o lo'o tu'uina atu ile: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 227233, 422-426. o MAS Technology Risk Management Guidelines (2021), itulau. 51. o ENISA Smartphone Secure Development Guidelines (2016), i. 11, 26.
15

AUTHN-BP02
Pulea O lo'o fa'aogaina e le app fa'atatau fa'atatau e fa'amaonia ai. Fa'amatalaga Fa'avae fa'avae e fa'ailoa mai ai elemene fa'amalosi e pei o le nofoaga o tagata fa'aoga ma uiga o masini. A'o tu'uina atu e le MFA se vaega malosi o le puipuiga e ala i le mana'omia o le tele o fa'amaoniga fa'amaonia, o le tu'ufa'atasia o mea e fa'atatau i le tala'aga e fa'atupuina ai se fa'agasologa fa'amaoni sili atu ma fetuutuuna'i lea e mafai ona ofoina atu fa'amanuiaga fa'aopoopo i le fa'atalanoaina o le fa'atupula'ia o tulaga lamatia o avanoa e le'i fa'atagaina. O le fa'atinoina o tulaga fa'avae e fa'aiti'itia ai le fa'alagolago i fa'amaumauga fa'amaonia, ma atili ai ona lu'itau mo tagata fai mea leaga e taumafai e fa'aoga le fa'atagaina. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona mafaufau i mea fa'atatau e fa'amaonia ai le fa'asinomaga o se tagata fa'aoga:
· Geolocation: Fa'ataga le avanoa e fa'avae i luga o le tulaga moni o le lalolagi o se masini e fa'aaoga ai le GPS, Wi-Fi, po'o le tuatusi IP geolocation.
· Ituaiga Meafaigaluega: Fa'ataga le avanoa e fa'atatau i uiga o se masini. fa'ata'ita'iga, o le tele o lau e mafai ona iloa ai pe o se masini o se telefoni po'o se laulau.
Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 56, 58. · ENISA Smartphone Secure Development Guidelines (2016), i. 11.
16

AUTHN-BP03
Pulea O lo'o fa'atinoina e le app le fa'amaoni o le sauniga. Fa'amatalaga O le fa'amaoniaina o le sauniga e fa'amautinoa ai le fa'atonuina o le fa'atonuga mo le fa'amaoniaga fa'apitoa ma le leai o ni fa'amatalaga. Le lelei le fa'afoeina o sauniga, tusa lava pe mulimuli le app ile stateful4 po'o le stateless5 auala fa'amaonia, e mafai ona o'o atu ai i le fa'amata'u fa'amata'u e pei ole avanoa e le'i fa'atagaina, fa'ao'oina o sauniga, po'o le solia o fa'amaumauga. O le fa'atinoina o le fa'amaoniaina o le sauniga fa'amautu mo fa'asalalauga fa'atulafonoina e fa'aaogaina ai fa'amatalaga fa'amautu o le sauniga, feso'ota'iga fa'ailoga ma taimi sa'o e taofia ai le avanoa e le fa'atagaina. Mo fa'amaoniga e leai ni fa'ailoga, e fa'amautinoa ai o fa'ailoga e tamper-resistant, fa'atumauina le fa'amaoni fa'amaoni e aunoa ma le fa'alagolago i le teuina o le server-side. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'atinoina le fa'amaoniga o le sauniga e ala i le fa'aaogaina o faiga sili nei mo fa'amaumauga (AUTHN-BP03a) ma le leai o se setete (AUTHN-BP03b) auala fa'amaonia mo sauniga. Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 51-55. · MAS Technology Risk Management Guidelines (2021), itulau. 51. · ENISA Smartphone Secure Development Guidelines (2016), i. 10.
4 Fa'amaumauga fa'amaonia e fa'atatau i le fa'afoeina o setete o sauniga i le itu o le 'au'aunaga, e masani ona mana'omia le fa'aogaina o fa'amatalaga o le vasega. 5 Faʻamaonia le leai o se faʻamatalaga e faʻatatau i le puleaina o sauniga e aunoa ma le teuina o faʻamatalaga e fesoʻotaʻi ma tagata faʻaoga i le itu o le server.
17

AUTHN-BP03a Pulea O le app o loʻo faʻatinoina le faʻamaoniga faʻamaonia. Fa'amatalaga O le fa'amaoni fa'amaonia e aofia ai le puipuia ma le fa'atumauina o sauniga faifai pea. E ui o le faʻamaoniga faʻamaonia e maua ai se poto masani a le tagata faʻaoga e ala i taimi faʻaoga faifaipea, e mafai ona aʻafia i faʻamataʻu faʻamataʻu eseese, e pei o tagata leaga e taumafai e gaoi faʻamatalaga faʻamatalaga. O le fa'atinoina o le fa'amaoniaga fa'amaonia e puipuia ai fa'amatalaga a le au fa'aoga mai le fa'atagaina e le fa'atagaina ma fa'alavelave fa'aletonu e feso'ota'i ma le pulega o sauniga e aunoa ma le fa'afefeteina o le paleni i le va o le fa'aogaina ma le saogalemu. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'ailoa pito i'uga o le 'au'aunaga e fa'aalia ai fa'amatalaga ma'ale'ale po'o galuega taua. E tatau foi i tagata atiaʻe ona faʻaaogaina faiga sili ona lelei mo faʻamaoniga o sauniga:
· Teena talosaga o lo'o misi pe le aoga ID po'o fa'ailoga. · Fausia ID Sauniga fa'afuase'i i luga o le 'au'aunaga e aunoa ma le fa'aopoopoina i ai URLs. · Faʻaleleia le saogalemu o ID ID i le umi talafeagai ma le entropy, e faigata ai ona mate. · Fetufaaiga ID Session na'o feso'ota'iga HTTPS malupuipuia. · Aloese mai le teuina o ID vasega i le teuina faifai pea. · Fa'amaonia ID o sauniga mo le fa'aogaina e le tagata fa'aoga i elemene aoga fa'apitoa. · Fa'amutaina sauniga i le itu o le server, tape fa'amatalaga o le sauniga pe a uma le taimi po'o le logo. Mea e matau Afai e masalosalo, mafaufau e faʻaaoga faʻamaumauga faʻamaonia faʻamaonia ma faʻasalalauga. O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole tagai ile (s) fa'amaumauga o lo'o tu'uina atu ile: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 52.
18

AUTHN-BP03b Pulea O le app o lo'o fa'atinoina le fa'amaoniga mautinoa e leai ni fa'ailoga. Fa'amatalaga Fa'amautu fa'amaonia e leai ni fa'ailoga e aofia ai fa'ata'ita'iga fa'amautu fa'ailoga mo le fa'amaoni lelei ma fa'ateleina. E ui o le fa'amaoniaina e leai ni setete e maua ai fa'amanuiaga, e mafai ona sili atu ona a'afia i fa'amata'u fa'amata'u e pei o le fa'afoliga fa'atagata pe a le fa'amautu fa'atupu, fa'asalalau ma teuina fa'ailoga. O le fa'atinoina o fa'amaoniga e leai ni fa'ailoga e fa'amautinoaina o fa'amaoniga fa'amaonia ta'itasi o lo'o fa'atautaia ma le saogalemu a'o seleseleina fa'amanuiaga o le lelei ma le fa'ateleina, fa'aitiitia ai le lamatiaga o le avanoa e le fa'atagaina. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'aaoga faiga e sili ona lelei mo fa'amaoniga o sauniga e leai ni fa'amatalaga:
· Fausia fa'ailoga i luga o le 'au'aunaga e aunoa ma le fa'aopoopoina i ai URLs. · Faʻaleleia le saogalemu o faʻailoga i le umi talafeagai ma le entropy, e faigata ai ona mate. · Fa'afesuia'i fa'ailoga na'o feso'ota'iga HTTPS malupuipuia. · Fa'amaonia e leai ni fa'amatalaga ma'ale'ale, e pei o le PII, o lo'o fa'apipi'iina i fa'ailoga. · Aloese mai le teuina o faailoga i le teuina faifai pea. · Fa'amaonia fa'ailoga mo le fa'aogaina e le tagata fa'aoga i elemene aoga fa'apitoa. · Fa'amutaina fa'ailoga i le itu o le 'au'aunaga, tape fa'amatalaga fa'ailoga pe a uma le taimi po'o le logo. · Fa'ailoga fa'ailoga fa'ailoga e fa'aaoga ai se algorithm malupuipuia, aloese mai le fa'aogaina o null algorithms. Mea e tatau ona maitauina · Afai e masalosalo, mafaufau e faʻaaoga faʻamaumauga faʻamaonia ma faʻamaumauga. · O lenei puipuiga malu o loʻo faʻasino i isi tulaga. Fa'amolemole va'ai i pepa (s)
saunia i totonu: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 52-53.
19

AUTHN-BP04
Pulea E fa'atino e le app le fa'amutaina o sauniga i le taimi e sau ai, le toaga po'o le tapuni. Fa'amatalaga O le fa'amutaina o le sauniga e mautinoa ai le tapunia lelei o vasega a tagata fa'aoga. I fa'ata'ita'iga e pei o le logofa'i, le to'aga, po'o fa'ata'ita'iga tapuni app, e iai le avanoa e fa'aoga ai e le au fai mea leaga so'o se avanoa fa'aauau pea pe a le fa'afoe lelei vasega. O le fa'atinoina o le fa'amutaina o le sauniga i le taimi e sau ai, le gaioi po'o le tapunia o polokalama e mafai ona fa'aitiitia ai le lamatiaga o le avanoa e le'i fa'atagaina e ala i le fa'amutaina otometi o taimi a tagata fa'aoga ma le puipuia o fa'amatalaga a le tagata fa'aoga mai le mauaina e vaega le fa'atagaina. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona toe fa'amaonia tagata fa'aoga pe a uma ona logo i fafo, le gaioi o le app, paie, fa'asolo mai, fa'agata taimi o le vasega, po'o le tapunia fa'afuase'i/malosi. E tatau fo'i i tagata atia'e ona fa'atupuina ni fa'amatalaga fou o sauniga i luga o le 'au'aunaga i so'o se taimi e aga'i atu ai tagata fa'aoga i se tulaga fa'amaonia fou e taofia ai le fa'atulagaina o sauniga. Mea e matau
· E tatau i tagata atiaʻe ona faʻamautinoa o le faʻamutaina o sauniga e aofia ai le kilia poʻo le toe faʻatagaina o faʻailoga uma o loʻo teuina i le lotoifale poʻo faʻamatalaga o sauniga.
· E tatau i tagata atia'e ona fuafua le tau fa'agata fa'aletonu e fa'atatau i le tulaga lamatia ma le natura o auaunaga tau tupe.
· O lenei puipuiga malu o loʻo faʻasino i isi tulaga. Fa'amolemole tagai ile (s) fa'amaumauga o lo'o tu'uina atu ile: o OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 55-56, 58. o MAS Technology Risk Management Guidelines (2021), itulau. 51. o ENISA Smartphone Secure Development Guidelines (2016), i. 11.
20

AUTHN-BP05
Pulea O lo'o fa'atinoina e le app le puipuiga malosi mo le fa'amaoni. Fa'amatalaga O osofa'iga fa'amalosi e a'afia ai taumafaiga fa'a otometi ma fa'atonu e mate ai fa'amatalaga a tagata fa'aoga, mo se fa'ata'ita'igaample, e ala i le taumafai i tu'ufa'atasiga eseese o usernames ma passwords e maua ai le avanoa e le fa'atagaina. Brute force puipuiga fa'atapulaaina le aofa'i o taumafaiga e saini i totonu o se vaitaimi fa'apitoa. O le fa'atinoina o le puipuiga malosi mo le fa'amaoni e mafai ona matua fa'aitiitia ai le lamatiaga o le avanoa e le fa'atagaina, puipuia fa'amatalaga a tagata fa'aoga ma tausia le fa'amaoni o le fa'agasologa o le fa'amaonia. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'atino faiga fa'amalosi e ala i faiga sili nei:
· Fa'atino su'esu'ega fa'ateteleina. · Fa'aaoga le fa'atapula'aina o tau mo taumafaiga e saini. · Fa'aofiofi fa'atupu fa'atupu fa'aatuai taimi (fa'ata'ita'iga 30 sekone, 1 minute, 2 minute, 5
minute) mo taumafaiga e saini. · Fa'amalosia le lokaina o teugatupe. Mea e tatau ona maitauina · E tatau i le au atinaʻe ona maitauina o masini uma a le MFA e faigofie ona faʻaleagaina. · E tatau i tagata atiaʻe ona faʻaalia mafuaaga mo le lokaina o teugatupe ma tuʻuina atu auala faigofie
mo tagata faʻaoga e faʻamaonia i latou lava ma aveese le loka. Exampe aofia ai le vala'au i se laina fesoasoani po'o le fa'aogaina o fa'amaoniga biometric. · O lenei puipuiga malu o loʻo faʻasino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
o ENISA Smartphone Secure Development Guidelines (2016), i. 10, 16.
21

AUTHN-BP06
Pulea O lo'o fa'atinoina e le app le faiga fa'amaonia le sa'o o fefa'atauaiga. Fa'amatalaga A'o fa'amaonia e le fa'amaoni le fa'asinomaga o le tagata fa'aoga, e le fa'ate'aina ai le avanoa o gaioiga fa'a'ole'ole i le faagasologa o fefa'atauaiga. O auala e fa'amaonia ai le fa'amaoni o fefa'ataua'iga o galuega fa'aausilali ia e tu'uina atu i tagata fa'aoga le taimi ma mea faigaluega e tali atu ai i faiga fa'asese. O le fa'atinoina o se faiga fa'amaonia le sa'o o fefa'ataua'iga e fa'amautinoaina ai le su'esu'eina mae'ae'a o fefa'ataua'iga ta'itasi e fa'amaonia ai lona sa'o ma le fa'amaoni. Ta'iala mo le fa'atinoga E mafai e tagata atia'e ona fa'atino faiga sili ona fautuaina nei:
· Amata se faʻamatalaga faʻatauga / faʻamaoniga telefoni. · Tuuina atu se talafaasolopito o fefaʻatauaiga i taimi moni. · Fa'atino se vaitaimi fa'amalo i le 12 itula i le 24 itula. · Fa'agata feuiaiga i fafo ona o le faaletonu; fa'aagaaga na'o le MFA. Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole tagai ile (s) fa'amaumauga o lo'o tu'uina atu ile: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 57-58.
22

2. Fa'atagaga

Folasaga
Fa'atagaga puipuiga e fa'agaoioi fa'atasi ma fa'amaoniga fa'amaonia. O le puipuiga o le faatagaga i telefoni feavea'i ose laina taua tele o le puipuiga aua e fa'ailoa mai ai po'o ai e mafai ona maua po'o a punaoa i totonu o se app. E fa'atupuina fa'atonuga fa'atonu ma fa'amaonia aiā tatau a tagata fa'aoga i totonu o se app.
E mafai e le au atiaʻe ona faʻamautinoa e naʻo tagata faʻatagaina, tagata faʻatau, polokalama, ma masini e mafai ona maua punaoa faʻapitoa pe faʻatino ni gaioiga faʻapitoa e ala i le faʻatinoina o faʻatonuga malosi ma faʻatonuga faʻatonuga. E ala i pulega fa'ataga, e mafai fo'i e le au atia'e ona fa'aitiitia le lamatiaga o le mauaina o fa'amaumauga e le'i fa'atagaina, fa'amausaliina le fa'amaoni o fa'amatalaga ma'ale'ale, fa'amausaliina le tagata fa'apitoa ma puipuia le fa'amaoni o galuega fa'atauga maualuga. E ui o le faʻamalosia o nei faiga e tatau ona i luga o le pito mamao, e tutusa lava le taua mo le itu o tagata o tausia le app e mulimuli i faiga sili ona talafeagai e faʻamautinoa ai le faʻaogaina saogalemu o tulafono faʻatagaina e aofia ai.
O fa'atonuga i totonu o lenei vaega e tu'uina atu ai fa'atagaga fa'atonuga e tatau ona fa'atino e le app e puipui ai fa'amatalaga ma'ale'ale ma puipuia ai avanoa e le'i fa'atagaina. O lo'o tu'uina atu ai fo'i i tagata atia'e ni fa'ata'ita'iga sili ona lelei ile fa'atinoina o nei puipuiga malu.
puipuiga malu

Pulea

AUTHOR-BP01 Fa'atino le fa'atagaina o le 'au'aunaga.

AUTHOR-BP02 Fa'atino le fa'atagaga a le tagata o tausia e ala i le fusifusia o masini.

AUTHOR-BP03 Fa'ailoa i tagata fa'aoga uma fa'atagaga mana'omia a'o le'i amata fa'aoga le app.

TUSI-BP04

Faʻailoa tagata faʻaoga mo fefaʻatauaiga maualuga uma ua faʻatagaina ma maeʻa.

TUSI-BP01
Pulea O le app e fa'atinoina le fa'atagaga a le server. Fa'amatalaga Fa'atagaga itu tu'ufa'atasi e fa'atatau i le fa'amaonia ma le tu'uina atu o fa'atagaga avanoa i tagata fa'aoga po'o polokalama e se server po'o se fa'ataga. E fa'amautinoaina o fa'ai'uga fa'atonutonu avanoa ma fa'atagaga o lo'o pulea ma fa'amalosia i le itu-aumau nai lo le kalani. E ala i le faʻatinoina o le faʻatagaina o le server-side, e faʻaititia e le au atinaʻe avanoa mo tagata osofaʻi leaga e tamper po'o le fa'asao le puipuiga i luga o le app e maua ai le avanoa e le fa'atagaina i fa'amatalaga ma'ale'ale (ie PIIs ma fa'amaumauga Fa'amaoni). Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'atino le fa'atagaga a le 'au'aunaga pe a mae'a fa'amaonia fa'amaoni, a'o le'i tu'uina atu fa'atagaga avanoa. E tatau i tagata atiaʻe ona faʻamautinoa e faʻatagaina tagata faʻaoga e faʻavae i luga o mea nei:
· Tofia le matafaioi ma fa'atagaga: Ia mautinoa e mafai e tagata fa'aoga ona fa'atino galuega e talafeagai ma o latou tiute.
· Fa'amatalaga fa'atatau: Fa'aaliga fa'apitoa avanoa e pei ole Taimi o Avanoa ma Su'esu'ega Amio.
Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 50-55, 58. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 10. · ENISA Smartphone Secure Development Guidelines (2016), i. 10-11.
25

TUSI-BP02
Pulea O le app e fa'atinoina le fa'atagaga a le tagata o tausia e ala i le fusifusia o masini.
Fa'amatalaga
O fa'atagaga a tagata fa'atau o le fa'agasologa lea o le fa'afoeina o fa'atagaga avanoa i totonu o se polokalama feavea'i. E mata'utia lenei mea ona o le fa'alagolago i le itu o tagata o tausia e mafai ona fa'aalia ai polokalame i fa'aletonu e pei ole avanoa e le'i fa'atagaina ma ono mafai ona fa'asese.
Afai o galuega fa'apisinisi a se app (fa'ata'ita'iga, fa'ata'ita'i fa'ailoga faakomepiuta) e mana'omia ai fa'atagaga a le tagata fa'atau, fa'amauina o masini (se faiga fa'apolopolo e feso'ota'i fa'atagaga e maua ai avanoa i luga o se masini fa'apitoa). E ala i le faʻatinoina o le faʻaogaina o masini, e mafai e apps ona faʻamaonia le faʻamatalaga o masini ma faʻavae le faʻalagolago. Ole mea lea e fa'aitiitia ai a'afiaga e feso'ota'i ma avanoa e le'i fa'atagaina ma fa'atumauina se auala malupuipuia, fa'atuatuaina i le va o masini, polokalama, ma 'au'aunaga.
Ta'iala fa'atinoga
E tatau i tagata atia'e ona fa'amauina le fusia i le va o polokalame ma le masini pe a fa'aoga le fa'asinomaga o se tagata mo le taimi muamua i se masini feavea'i e le'i resitalaina.
E tatau foi i tagata atiaʻe ona faʻamaonia o polokalama:
· Siaki mo suiga i le masini talu mai le taimi mulimuli. · Siaki mo suiga i fa'ailoga e iloagofie ai masini. · Siaki o le masini o loʻo faʻaogaina le app o loʻo i se tulaga saogalemu (faʻataʻitaʻiga e leai se jailbreaking poʻo le aʻa). O mea o loʻo i luga o ni nai faʻataʻitaʻigaampfa'ata'ita'iga fa'ata'ita'i lelei fa'aaogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei metotia e ono tuai. O lea la, e tatau i tagata atia'e ona fa'aauau pea le fa'ata'ita'iina o faiga aupito sili ona lelei a le alamanuia e fa'amaonia ai fa'amauga o masini. Mea e matau
Ina ia faʻamaonia le masini i masini Android, e mafai e tagata atiaʻe ona:
· Maua faʻamatalaga tulaga ese e pei o le IMEI poʻo le ID ID. · Toe aumai fa'amatalaga faufale. · Fa'aaoga uiga fa'apitoa o le OS API, pei ole Google's SafetyNet.
Ina ia faʻamaonia le masini i masini iOS, e mafai e tagata atiaʻe ona:
· Fa'aaoga auaunaga masani OS, pei ole ID masini a Apple e ala ile UIDevice.
O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 316-317, 516. · MAS Technology Risk Management Guidelines (2021), itulau. 51, 56.
26

TUSI-BP03
Pulea E logoina e le app tagata fa'aoga uma fa'atagaga mana'omia a'o le'i amata fa'aoga le app. Fa'amatalaga O fa'atagaga mana'omia o aia tatau ma agava'a e mana'omia e le app mai le masini feavea'i. O fa'atagaga nei o lo'o fa'amalamalamaina ai punaoa po'o galuega e mafai ona maua e le app i masini a tagata fa'aoga. O nisi exampe aofia ai, ae le gata i, mea pueata, masini faaleotele leo, nofoaga, ma isi. E ala i le faʻatinoina o faʻamatalaga talafeagai e logoina ai tagata faʻaoga poʻo a faʻatagaga o loʻo talosagaina, e mafai e le au atinaʻe ona taofia tagata faʻaoga mai le le iloa o le tuʻuina atu o faʻatagaga tele, e ono mafai ai e tagata fai mea leaga ona faʻaogaina faʻafitauli. ma gaoi fa'amatalaga ma'ale'ale (ie PIIs ma Fa'amaumauga Fa'amaoni). O ia fa'aaliga o le a fa'atagaina ai fo'i tagata fa'aoga e fai fa'ai'uga fa'ailoa e uiga i polokalame latou te fa'apipi'iina. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'aoga fa'aaliga In-App (In-App) e talosagaina ai tagata fa'aoga mo fa'atagaga avanoa. E tatau foi i tagata atiaʻe ona faʻamautinoa e le faʻaalia e Faʻamatalaga / Faʻaaliga faʻamatalaga maaleale. Mea e matau E tatau i tagata atia'e ona talosagaina na'o fa'atagaga taua mo le fa'atinoga o le app. O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 56, 58. · ENISA Smartphone Secure Development Guidelines (2016), i. 8, 18, 28. · Apple Developer Guide on Privacy, https://developer.apple.com/design/human-interface-
ta'iala/fa'alilolilo (Ian 2024). · Android Developer Guide i luga o le faalilolilo, https://developer.android.com/quality/privacy-and-
saogalemu (Ian 2024).
27

TUSI-BP04
Pulea O le app e logoina ai tagata fa'aoga mo fefa'atauaiga maualuga uma ua fa'atagaina ma mae'a.
Fa'amatalaga Afai o se app e iai ni galuega fa'apisinisi e lamatia, e tatau ona logo vave tagata fa'aoga pe a fa'atagaina ma fa'amae'aina se fefa'atauaiga. E ala i le faʻatinoina o lenei faʻatonuga, e mafai e le au atinaʻe ona faʻamautinoa o loʻo faʻaalia vave tagata faʻaoga pe a faʻatagaina fefaʻatauaiga maualuga ma faʻamaeʻaina ina ia mafai ai ona latou faʻamaonia fefaʻatauaiga taufaasese i se taimi vave e mafai ai.
Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'aogaina auala nei e fa'ailoa ai le tagata fa'aoga:
· I-Talosaga (In-App) mataala. · Fa'amatalaga imeli. · Faʻamatalaga Faʻamatalaga Puupuu (SMS). E tatau foi i tagata atiaʻe ona faʻamautinoa e le faʻaalia e Faʻamatalaga / Faʻaaliga faʻamatalaga maaleale.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampfa'ata'ita'iga fa'ata'ita'iga sili ona lelei o lo'o fa'aogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei metotia e ono tuai. O lea la, e tatau i le au atina'e ona mulimulita'i i faiga aupito sili ona lelei a le alamanuia e logoina ai tagata fa'aoga i fefa'atauaiga e lamatia ma fa'amae'aina.
Mea e matau E tatau i tagata atia'e ona talosagaina na'o fa'atagaga taua mo le fa'atinoina o le app.
O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· MAS Technology Risk Management Guidelines (2021), itulau. 52. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 10. · ENISA Smartphone Secure Development Guidelines (2016), i. 8. · Apple Developer Guide on Privacy, https://developer.apple.com/design/human-interface-
ta'iala/fa'alilolilo (Ian 2024). · Android Developer Guide i luga o le faalilolilo, https://developer.android.com/quality/privacy-and-
saogalemu (Ian 2024).
28

3. Teuina o Fa'amatalaga (Fa'amatalaga-i-Malōlō)

Folasaga
Puipuiga o le Teuina o Fa'amaumauga mo fa'amaumauga-i-malolo e fa'atatau i le malu puipuia o le fa'amaoni ma le agatapuia o fa'amaumauga ma'ale'ale (e pei o PIIs ma fa'amaumauga Fa'amaoni) o lo'o teuina i le lotoifale i luga o le masini i le itu o tagata o tausia ma le itu o le app serverside pe a le o fa'agaoioia le fa'aaogaina pe fa'asalalauina. E aofia ai faiga sili ona lelei, faiga puipuia ma faiga faʻailoga e faʻaogaina e faʻamautu ai faʻamaumauga o loʻo teuina i totonu o faʻamaumauga, files, caches, manatua, ma le Trusted Execution Environment (TEE) i luga o masini feaveaʻi ma vaega tutusa i totonu o sapalai app.
E mafai e tagata atiaʻe ona faʻamautinoa o loʻo faʻasaoina ma puipuia faʻamaumauga a tagata faʻaoga e ala i le faʻatinoina o puipuiga malosi mo le teuina o faʻamatalaga i le malologa. O fa'atonuga lelei o fa'amaumauga-i-malolo e fa'amautinoa ai fo'i e mafai e le app ona fa'aitiitia le lamatiaga o le avanoa e le'i fa'atagaina, fa'aletonu le masini, fa'aletonu fa'amatalaga e ono tula'i mai, ma le ta'e o fa'amaumauga ma fa'amalosia ai le puipuiga o le app.
O fa'atonuga nei e fa'amautinoaina o so'o se fa'amatalaga ma'ale'ale o lo'o teuina ma le loto i ai e le app o lo'o puipuia lelei, tusa lava po'o le a le nofoaga fa'atatau. O lo'o ufiufi ai fo'i liki fa'afuase'i ona o le fa'aogaina sese ole API po'o le fa'aogaina ole faiga.
puipuiga malu

Pulea

STORAGE-BP01 Teu fa'amatalaga ma'ale'ale e na'o le mana'omia mo fefa'atauaiga.

STORAGE-BP02 Fa'atino le teuina malu o fa'amatalaga ma'ale'ale.

STORAGE-BP02a Teu fa'amaumau fa'amatalaga ma'ale'ale ile itu-aumau.

TEU-BP02b

Teu fa'amautu fa'amatalaga ma'ale'ale ile itu o tagata o tausia ile Si'osi'omaga Fa'atinoina Fa'atuatuaina (TEE).

STORAGE-BP03 Aveese fa'amatalaga ma'ale'ale pe a le toe mana'omia.

TEU-BP01
Pulea O lo'o teuina e le app fa'amatalaga ma'ale'ale e na'o fefa'ataua'iga e mana'omia. Fa'amatalaga Fa'amatalaga ma'ale'ale o lo'o fa'auigaina o fa'amatalaga fa'aoga (PIIs) ma fa'amaumauga fa'amaonia (fa'ata'ita'iga, fa'ailoga, ki fa'ailoga, ma isi) E tatau i tagata atia'e ona teuina fa'amatalaga ma'ale'ale e mana'omia mo galuega fa'apisinisi. O le fa'aputuina o fa'amatalaga e le mana'omia e fa'atuputeleina ai le a'afiaga o soliga o le saogalemu, ma avea ai se app ma fa'ailoga mata'ina mo tagata fai mea leaga. E ala i le faʻatinoina o lenei faʻatonuga saogalemu, e mafai e le au atinaʻe ona faʻamautinoa e faʻatapulaʻaina le faʻaalia i faʻamatalaga e manaʻomia mo galuega faʻapitoa pisinisi, faʻaitiitia le aʻafiaga pe a oʻo i avanoa e le faʻatagaina poʻo le solia o faʻamaumauga. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'avasega fa'amaumauga o lo'o fa'aogaina e le app e fa'atatau i tulaga ma'ale'ale o se fa'alapotopotoga ma fa'atatau i mana'oga fa'aletulafono. E tatau i tagata atiaʻe ona faʻaogaina taʻiala nei e faʻamautu ai faʻamatalaga o loʻo faʻavasegaina e maʻaleʻale:
1. Fa'atino se vaifofo saogalemu e teu ai e fa'atatau i lona ma'ale'ale i le itu o le tagata o tausia/server-itu. 2. Fa'aoga faiga e puipuia ai fa'amaumauga (fa'ata'ita'iga, fa'ailoga, fa'ailoga masima, fa'ailoga fa'ailoga) 3. Ave'ese fa'amatalaga ma'ale'ale pe a le toe mana'omia. Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole tagai ile (s) fa'amaumauga o lo'o tu'uina atu ile: · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), pg. 190, 398. · MAS Technology Risk Management Guidelines (2021), itulau. 9-10, 36, 38. · ENISA Smartphone Secure Development Guidelines (2016), i. 6.
31

TEU-BP02
Pulea O le app e fa'atinoina le teuina malu o fa'amatalaga ma'ale'ale. Fa'amatalaga O le teuina malu mo polokalama feavea'i e faasino i le fa'atinoina o metotia ma faiga e puipuia ai fa'amatalaga ma'ale'ale o lo'o teuina i luga o masini feavea'i ma fa'aumau app mai le fa'atagaina e le fa'atagaina, gaoi po'o le t.ampering. E aofia ai faiga sili ona lelei e pei o fa'ailoga, fa'ailoga, fa'ailoga, ma fa'atonuga talafeagai. E ala i le faʻatinoina o le teuina malu, e mafai e le au atinaʻe ona faʻaitiitia le avanoa e le faʻatagaina, faʻaogaina o masini, soliga faʻamatalaga ma faʻamatalaga faʻamatalaga. Ta'iala mo le fa'atinoga E tatau i tagata atia'e ona fa'atino se fofo fa'amautu e fa'atumauina e fetaui lelei ma le maaleale o fa'amaumauga. E tatau foi i tagata atiaʻe ona faʻamuamua le faʻatonuga o loʻo i lalo mo le saogalemu o le teuina o vaifofo (mai faʻamatalaga sili ona maaleale i faʻamatalaga sili ona maaleale):
1. Itu-aumau (e tatau ona teuina fa'amatalaga ma'ale'ale uma i le itu-aumau). 2. Itu fa'atau i totonu ole Siosiomaga Fa'atinoina Fa'atuatuaina (i le tulaga e leai se itu-server
mafai, teu uma fa'amatalaga ma'ale'ale i le TEE itu o tagata o tausia). Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 17-18. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 190-203, 398-
406. · ENISA Smartphone Secure Development Guidelines (2016), i. 06-07.
32

TEU-BP02a
Pulea
O lo'o teuina e le app fa'amatalaga ma'ale'ale ma le saogalemu i le itu-server.
Fa'amatalaga
O le teuina o faʻamatalaga maʻaleʻale i luga o le server-side e faʻatatau i le teuina o faʻamaumauga i luga o sapalai app mamao poʻo faʻamaumauga. O sea faiga e maua ai se siosiomaga sili atu e puipuia ai faʻamatalaga mai le faʻatagaina le faʻatagaina poʻo le solia, faʻamalosia atili le puipuia o le faʻaogaina o avanoa, filifiliga e faʻatino ai faiga sili atu le puipuiga e pei o faʻamatalaga sili atu ona lavelave ma aiaiga o faʻafouga saogalemu vave.
E ala i le fa'atinoina o le teuina o fa'amaumauga ma'ale'ale, e mafai e le au atia'e ona fa'aitiitia a'afiaga o le teuina o fa'amaumauga i le itu o tagata o tausia, ona o le teuina o fa'amaumauga a le tagata o tausia e sili atu ona faigofie ona fa'aogaina auala e fa'aogaina ai fa'amaumauga e masani ona fa'aogaina e tagata leaga i faiga fa'akomepiuta feavea'i.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻaoga ia le itiiti ifo ma le 1 o faʻamaumauga nei e puipuia ai faʻamatalaga:
1. Mo na'o fa'aupuga, e mafai e le au atina'e ona fa'aogaina le fa'aogaina ma le masima6. Nai lo le teuina o upu fa'amaonia moni, o masima tulaga ese e gaosia ma tu'ufa'atasia ma fa'aupuga, fa'atupu fa'amasima masima.
2. E mafai e tagata atiaʻe ona faʻapipiʻi faʻamatalaga maʻaleʻale 7 faʻatasi ma tulaga faʻailoga e pei ole AES-128. 3. E mafai e le au atia'e ona fa'atinoina le tokenisation8 fa'atasi ai ma le tokenisation e pulea e le tagata lava ia po'o se fa'ailoga
auaunaga, sui fa'amatalaga ma'ale'ale i fa'ailoga pe a mafai. E le gata i lea, e tatau i tagata atiaʻe ona faʻamautinoa e lava le umi ma le lavelave o faʻailoga (faʻalagolago i faʻamaumauga faʻamaonia) e faʻavae i luga o faʻamatalaga faʻamatalaga ma manaʻoga pisinisi.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampo faiga sili ona lelei o lo'o fa'aogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei faiga sili e ono tuai. O lea la, e tatau i le au atina'e ona mulimulita'i i faiga aupito sili ona lelei a le alamanuia e teu ai fa'amaumauga ma'ale'ale ma le saogalemu i le itu-aumau.
Mea e matau
O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 19-20. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 71-77, 219-227,
416-421. · MAS Technology Risk Management Guidelines (2021), itulau. 30, 36-37, 39. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 9. · ENISA Smartphone Secure Development Guidelines (2016), i. 6-9.
6 Ua fa'aogaina le fa'asalaina ma le masima e fa'aopoopoina ai se vaega fa'aopoopo o le puipuiga e ala i le fa'atupuina o fa'atatauga mo tagata osofa'i e fa'ailoa ai fa'amatalaga ma'ale'ale muamua. I le tulaga o le teuina o upu faʻaupuga poʻo le faʻatupuina autu, e tatau i tagata atiae ona faʻaogaina galuega faʻavae autu e tasi pe faʻagesegese hash algorithms, pei ole PBKDF2, bcrypt, poʻo le scrypt. 7 E fa'aogaina le fa'ailoga e fa'aliliu ai fa'amaumauga i se fa'asologa e le mafai ona faitau, fa'amautinoa e tusa lava pe maua e aunoa ma se fa'atagaga, o fa'amatalaga ma'ale'ale e tumau pea le le faalauaiteleina. 8 Tokenization e fa'aaogaina e sui ai fa'amatalaga ma'ale'ale i fa'ailoga e fa'aitiitia ai le lamatiaga o fa'amatalaga ma'ale'ale.
33

TEU-BP02b
Pulea
O le app e teuina fa'amaumauga ma'ale'ale ma le saogalemu i le itu o tagata fa'atau i totonu o le Siosiomaga Fa'atonu Fa'atonu (TEE).
Fa'amatalaga
Ole Si'osi'omaga Fa'atonu Fa'atonu (TEE) ose nofoaga tu'ufua i totonu ole masini feavea'i po'o le fa'ata'ita'iga o le gaosiga e maua ai se si'osi'omaga sili ona malupuipuia mo le teuina o fa'amaumauga ma'ale'ale ma le fa'atinoina o galuega ma'ale'ale pe mata'utia. Ua mamanuina e puipuia faʻamatalaga maʻaleʻale, ki faʻataʻitaʻiga ma faiga taua mai le faʻatagaina e le faʻatagaina poʻo le tampering. Afai o galuega fa'apisinisi a se app e mana'omia le teuina o fa'amatalaga ma'ale'ale i le itu o tagata o tausia, e fautuaina e teu i totonu ole TEE ole masini.
E ala i le fa'atinoina o le teuina lelei o fa'amatalaga ma'ale'ale i le TEE, e mafai e le au atia'e ona fa'aitiitia le fa'amata'u mai totonu o se masini fa'aletonu ma mai fafo atu o tagata fai mea leaga. E mafai fo'i e ia fa'aputuga ona fa'aitiitia le avanoa e le fa'atagaina i fa'amatalaga ma'ale'ale a le tagata fa'aoga i luga o se app ma taofia ai so'o se ki fa'ailoga mai le gaoia.
Ta'iala fa'atinoga
E tatau i tagata atia'e ona teuina fa'amaumauga ma'ale'ale i le itu o tagata o tausia i totonu o se Si'osi'omaga Fa'atinoina Fa'atuatuaina (TEE) pei ole Android's ARM's TrustZone, Apple's Secure Enclave.
E tatau foi i tagata atiaʻe ona teuina laʻititi le lisi o loʻo i lalo o faʻamatalaga maʻaleʻale i se TEE:
· Fa'ailoga biometric. · Fa'ailoga fa'amaonia. · Cryptographic ki i totonu o se faiga fa'atonutonu fa'amautu e pei ole Android Keystore, iOS
Keychain.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampo mea maaleale e tatau ona teuina e le au atiaʻe faʻamatalaga i le TEE. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, e tatau i tagata atia'e ona fa'aaoga le sa'olotoga e teu ai so'o se fa'amaumauga latou te manatu e tatau ona teuina i le TEE.
Mea e matau
Mo masini e leai ni meafaigaluega TEE, e mafai e le au atina'e ona mafaufau i le fa'aogaina o TEE fa'apitoa.
I le isi itu, e mafai e le au atiaʻe ona mafaufau e faʻamalo le app poʻo le faʻagataina o galuega faʻapisinisi e maualuga le lamatiaga o le app, ona o le app ua manatu e le saogalemu mo fefaʻatauaiga maualuga.
O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 19-20. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 75, 93, 194-200. · MAS Technology Risk Management Guidelines (2021), itulau. 51. · PCI Mobile Payment Acceptance Security Guidelines v2.0.0 (2017), pg. 07-09, 14. · ENISA Smartphone Secure Development Guidelines (2016), pg. 10.
34

TEU-BP03
Pulea
E tape e le app fa'amatalaga ma'ale'ale pe a le toe mana'omia.
Fa'amatalaga
O le tapeina o fa'amaumauga ma'ale'ale e fa'atatau i le fa'agasologa o le tapeina tumau po'o le tapeina o fa'amatalaga fa'alilolilo, fa'alilolilo pe ma'ale'ale mai masini e teu ai, servers po'o fa'amaumauga. O lenei faiga e fa'amautinoa ai o fa'amatalaga ma'ale'ale e le mafai ona toe maua ma e le mafai ona maua, toe maua, fa'afuase'i ona fa'aalia, pe toe fausia e tagata e le'i fa'atagaina po'o auala e toe fa'aleleia ai fa'amaumauga.
I le faʻatinoina o lenei faʻagasologa, e mafai e le au atinaʻe ona faʻaitiitia le faʻamalama e mafai ai e le au osofaʻi ona faʻaogaina faʻalavelave e gaoi ai faʻamatalaga maaleale.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻaogaina auala faʻapipiʻi faʻapipiʻi saogalemu nei:
· Fa'amama kuki teuina ile fa'amutaina o le app po'o le fa'aogaina o le teuina o kuki i totonu. · Aveese uma faʻamatalaga maʻaleʻale i luga o le faʻaogaina o le app. · Aveese ma le lima fa'amaumauga uma files e iai fa'amatalaga ma'ale'ale (fa'ata'ita'iga, iOS WebView caches) mai
o le file faiga pe a le toe iai ni galuega fa'apisinisi.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampo faiga sili ona lelei o lo'o fa'aogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei metotia e ono tuai. O lea la, e tatau i le au atina'e ona mulimulita'i i faiga aupito sili ona lelei a alamanuia e tape ai fa'amatalaga ma'ale'ale pe a le toe mana'omia.
Mea e matau
E tatau i tagata atiaʻe ona nofouta i le usitaʻia o tulaga faʻasalalau lautele ma tulafono talafeagai e taofia ai faʻamaumauga e aofia ai ae le gata i:
· Tulafono mo le Puipuiga o Fa'amaumauga a le Tagata Lava Ia (PDPA) · Tulafono Fa'atonu mo Puipuiga o Fa'amatalaga Lautele (GDPR) · Le Fa'atonuga o le Puipuiga o Fa'amaumauga o Fa'amaumauga a le Aufaigaluega (PCI DSS)
O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 199, 206-214, 403-414.
· MAS Technology Risk Management Guidelines (2021), itulau. 39. · ENISA Smartphone Secure Development Guidelines (2016), i. 07, 09-10.
35

4. Aneti-Tampering & Anti-Reversing

Folasaga
Anti-Tampfa'atonuga ma le Anti-Reversing security controls o ni faiga fa'aopoopo e mafai ona fa'atino e le au atina'e e fa'afetaui ai osofa'iga e taumafai e tamper po'o polokalame fa'ainisinia fa'aliliu. E ala i le faʻatinoina o vaega uma e lua, e faʻaopoopoina e le au atinaʻe le tele o vaega o puipuiga i polokalama, e sili atu ona faigata mo tagata leaga e faʻamanuiaina.amper po'o ni fa'ainisinia fa'aliliu, lea e ono i'u ai i:
· Le gaoi po'o le fetuutuuna'i o aseta tau pisinisi e pei o algorithms fa'apitoa, mealilo tau fefa'ataua'iga, po'o fa'amatalaga ma'ale'ale,
· Tupe gau a tagata faʻaoga o loʻo faʻaogaina le app mo fefaʻatauaiga maualuga, · Tupe gau a faʻalapotopotoga ona o le leiloa o tupe maua poʻo le gaioiga faaletulafono, · Faʻaleagaina le igoa tauleleia ona o faʻasalalauga leaga poʻo le le fiafia o tagata faʻatau

O fa'atonuga e fa'amautinoa ai o lo'o fa'agaoioia polokalame i luga o fa'avae fa'atuatuaina, puipuia tampfa'agaoioi i le taimi fa'atino ma fa'amautinoa le fa'amaoni o galuega fa'atino. E le gata i lea, o faʻatonuga e faʻalavelaveina le malamalama e ala i le faʻafaigata i tagata osofaʻi ona iloa pe faʻafefea ona faʻaogaina ia polokalama.
puipuiga malu

Pulea

RESILIENCE-BP01 Saini fa'atasi ma tusi pasi mai faleoloa fa'apitoa.

RESILIENCE-BP02 Fa'atino le jailbreak/a'a su'esu'e. RESILIENCE-BP03 Fa'atino su'esu'ega emulator.

RESILIENCE-BP04 Fa'atino le su'esu'eina e tetee atu i le malware.

RESILIENCE-BP05 Fa'atino faiga e tete'e i matau.

RESILIENCE-BP06 Fa'atino fa'alava, mamao viewfa'asagaga, ma fa'amalama fa'amalama.

RESILI-BP07

Fa'atino le pu'eina o le pu'e po'o le kilogger e fa'asaga i keyboards virtuali isi vaega.

RESILI-BP01
Pulea
O le app o loʻo sainia faʻatasi ma tusi faamaonia mai faleoloa app aloaia.
Fa'amatalaga
O polokalame e masani ona fa'a'ole'ole e tagata fai mea leaga ma fa'asoa atu i auala e le fa'atulafonoina. O le sainia o se app ma tusi faamaonia e saunia e faleoloa app aloaia e mautinoa ai le OS feaveaʻi ma tagata faʻaoga o le telefoni feaveaʻi e mai se puna faʻamaonia.
O le fa'atinoina o le saini fa'ailoga e fesoasoani i faiga fa'agaioiga e iloa ai pe fa'ataga le polokalame e fa'agasolo pe fa'apipi'i e fa'atatau i saini po'o tusi pasi na fa'aaogaina e saini ai le code. E fesoasoani lea e puipuia ai le fa'apipi'iina ma le fa'atinoina o polokalame e ono afaina ai. E le gata i lea, e fesoasoani foi le sainia o code i le faʻamaoniaina o le faʻamaoni, aua o le a suia saini pe a fai ua t le app.ampfa'atasi ma.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻailoga saini a latou polokalama ma tusi pasi. O lenei vaega e maua ai exampo le auala e fai ai lenei mea e ala i luga o faʻasalalauga sili ona lauiloa e lua iOS ma Android.
Mo le Apple's App Store, e mafai ona faia e ala i le lesitala i le Apple Developer Program ma fatuina se talosaga saini tusi faamaonia i le faitotoa o le atinaʻe. E mafai e tagata atiaʻe ona lesitala mo le Apple Developer Program ma e mafai ona faʻasino le taʻiala a le atinaʻe o loʻo i lalo mo le sainia o code i lalo o mea e tatau ona matauina.
Mo Android, e tele faleoloa App. Mo Google's Play Store, e mafai ona faia e ala i le fa'atulagaina o le Play App Signing lea e mana'omia mo le tufatufaina atu ile Google's Play Store. Mo nisi faʻamatalaga i le auala e fai ai e mafai e le au atinaʻe ona asiasi i le Android developer guide i lalo o mea e matauina.
Mo isi faleoloa aloa'ia, va'ai i latou ta'iala ta'iala ile sainiga o code source app. O mea e tatau ona maitauina O lenei fa'atonuga saogalemu ose mana'oga fo'i lea mo le fa'asalalauina o polokalame i luga o faleoloa fa'atauga aloaia, e pei o lea, o le fa'atonuga e mo lau app ina ia sainia fa'ailoga fa'atasi ma tusi pasi mai faleoloa app aloa'ia. O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· Apple Developer Program Guide for Code Signing, https://developer.apple.com/support/code-signing (Ian 2024).
· Android Developer Guide on Privacy, https://developer.android.com/quality/privacy-andsecurity (Ian 2024).
· OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 325-326, 522523.
· ENISA Smartphone Secure Development Guidelines (2016), i. 21.
38

RESILI-BP02
Pulea
E fa'atino e le app le jailbreak po'o le su'eina o a'a.
Fa'amatalaga
O masini e maua'a ma falepuipui e masani ona manatu e le saogalemu. O masini fa'aa'a'a po'o fa'afalepuipui e fa'ataga ai tagata fa'aoga e maua avanoa maualuluga, fa'afaigofie ai le fa'aogaina o le saogalemu ma fa'atapula'aina o le OS. O ia tulaga maualuga e mafai ona le saogalemu mo polokalama ona o nei avanoa e mafai ai e tagata fai mea leaga ona faʻaaogaina faʻafitauli, gaoi faʻamaonia, ave faʻaoga masini ma faʻatino fefaʻatauaiga taufaasese.
E ala i le faʻatinoina o le jailbreak poʻo le suʻesuʻeina o aʻa, e mafai e le au atinaʻe ona taofia le faʻaogaina o mea o loʻo taʻua i luga mai le tupu, puipuia mea tau le atamai o polokalama, faʻamautinoa le mautu o polokalama ma puipuia le faʻaogaina o faiga i-app.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻatinoina le jailbreak poʻo le suʻeina o aʻa e ala i le faʻatinoina o siaki nei i la latou app mo masini Android:
1. Siaki mo superuser po'o SU binary. 2. Su'esu'e a'a file suiga faiga. 3. Vaavaai mo polokalama maua'a. 4. Siaki mo le toe faʻaleleia o aganuʻu. 5. Siaki mo le fa'aoga le saogalemu o le API.
E tatau i tagata atiaʻe ona faʻatinoina le jailbreak poʻo le suʻeina o aʻa e ala i le faʻatinoina o siaki nei i la latou app mo masini iOS:
1. Su'esu'e le fa'aogaina o API fa'asaina. 2. Vaavaai mo tweaks jailbreak pei mods. 3. Va'ai mo faleoloa talosaga le aloaia, fa'ata'ita'iga, siaki le saini a le Cydia App Store. 4. Vaavaai mo suiga fatu. 5. Siaki mo le faamaoni o le faitio file faiga. 6. Fa'aoga faletusi lona tolu ua fuafuaina e iloa ai masini tampsese.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampo su'ega fa'ata'ita'iga sili o lo'o fa'aogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei siaki e ono tuai. E pei o lea, e tatau i tagata atiaʻe ona mulimulitaʻi i faiga aupito sili ona lelei a le alamanuia e faʻatino ai le jailbreak poʻo le suʻeina o aʻa.
39

Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 319-320, 5069,
518-519. · MAS Technology Risk Management Guidelines (2021), itulau. 50. · ENISA Smartphone Secure Development Guidelines (2016), i. 11, 23.
9 https://github.com/crazykid95/Backup-Mobile-Security-Report/blob/master/Jailbreak-Root-DetectionEvasion-Study-on-iOS-and-Android.pdf
40

RESILI-BP03
Pulea
O le app e faʻaaogaina le emulator detection.
Fa'amatalaga
Emulators o polokalama ia e faʻaaogaina e suʻe ai polokalama feaveaʻi e ala i le faʻatagaina o se tagata faʻaoga e faʻataʻitaʻi se telefoni feaveaʻi i luga o ituaiga eseese ma masini feaveaʻi. E ui ina aoga mo suʻega, e le tatau ona faʻatagaina i latou lava e faʻapipiʻi i luga o emulators i fafo atu o le siosiomaga atinaʻe.
E ala i le fa'atinoina o le su'esu'eina o fa'ata'ita'iga, e mafai ai e le au atina'e ona taofia tagata fai mea leaga mai le fa'atinoina o su'esu'ega malosi, a'a, fa'apalapala, meafaigāluega, fa'amau, ma su'ega fuzz i luga o se masini fa'ata'ita'i e mafai ona latou pulea. I le faia o lea mea, e mafai e le au atinaʻe ona puipuia tagata fai mea leaga mai le mauaina o faʻafitauli i totonu o le app mo le faʻaogaina.
Ta'iala fa'atinoga
E tatau i tagata atia'e ona fa'atino le ta'iala o le su'esu'eina o lo'o i lalo e fa'ailoa ai vaega mo fofo fa'ata'ita'iga masani ona fa'aaogaina. O nisi o fautuaga o mea e siaki ai:
· Siaki le fa'aogaina o maa. · Siaki taimiamps ma uati. · Siaki le tele o uiga pa'i. · Siaki manatua ma au'ili'iliga o faatinoga. · Fa'atino siaki feso'ota'iga. · Siaki pe fa'avae meafaigaluega. · Siaki po'o le a le mea e fa'avae i ai le OS. · Siaki mo tamatamai lima o masini. · Siaki fetuutuunaiga faufale. · Siaki mo auaunaga emulator ma polokalama.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampo su'ega fa'ata'ita'iga sili o lo'o fa'aogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei siaki e ono tuai. E pei o lea, e tatau i le au atinaʻe ona mulimulitaʻi i faiga aupito sili ona lelei a le alamanuia e faʻatino ai le suʻesuʻeina o le emulator. Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 31-32. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 325, 521.
41

RESILI-BP04
Pulea
O lo'o fa'atinoina e le app le su'esu'eina o le anti-malware.
Fa'amatalaga
Malware apps ua faʻateleina le faʻaogaina e tagata fai mea leaga e avea o se vete e faʻafefe ai masini feaveaʻi a tagata faʻaoga ona o ia masini e maua ai e tagata faʻaoga le faigofie e manaʻomia e faia ai fefaʻatauaiga i lea aso ma lea aso. O lo'o fa'aogaina e Malware apps fa'aoga pito i luga e fai ma auala e fa'aulu ai tagata e fa'apipi'i mea leaga i luga o latou masini.
E ala i le faʻatinoina o le mafai ona iloa anti-malware i luga o se app i le taimi e taʻavale ai, e mafai e tagata atiaʻe ona puipuia tagata faʻaoga mai le faʻaaogaina e ala i le faʻaogaina o mea leaga e faʻaogaina ai faʻafitauli ma faʻafitauli o le OS, gaoi faʻamaonia, ave le masini, ma le faʻatinoina o fefaʻatauaiga taufaasese.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻaogaina le mafai ona suʻeina le malware i totonu oa latou polokalama. E mafai ona faia lenei mea i ni auala eseese, ae le gata i:
· Fa'aofia le Taimi-Talosaga-Puipuiga o le Tagata Lava (RASP) Software Development Kit (SDK) i totonu o latou polokalame.
· Fa'aaoga RASP SDKs e siaki ai ma su'esu'e mo polokalama leaga i le taimi. · Siaki ma puipuia le fa'alava. · Taofi le kiliki. · Taofi le fa'aogaina o mea e manatua.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampo su'ega fa'ata'ita'iga sili o lo'o fa'aogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei siaki e ono tuai. E pei o lea, e tatau i tagata atiaʻe ona mulimulitaʻi i faiga aupito sili ona lelei a le alamanuia e faʻatino ai le suʻesuʻeina o le malware.
Mea e matau
Afai e iloa soʻo se ituaiga o faʻaleagaina, e tatau i tagata atiae ona faʻamalo le app ma tuʻuina atu i le tagata faʻaoga faʻamatalaga talafeagai i le mafuaʻaga ua le atoatoa ai le app ma unaʻia le tagata faʻaoga e aveese le mea leaga (s) i luga o latou masini.
I le isi itu, e tatau i tagata atiae ona lapataia le tagata faʻaoga, ma faʻamalo galuega e maualuga le lamatiaga i luga o le app seʻia oʻo ina toe faʻaleleia e le tagata faʻaoga mea leaga. O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 31. · MAS Technology Risk Management Guidelines (2021), itulau. 40, 49. · ENISA Smartphone Secure Development Guidelines (2016), i. 23.
42

RESILI-BP05
Pulea
O lo'o fa'atinoina e le app ni faiga fa'ato'i fa'amata'u.
Fa'amatalaga
Hooking e fa'atatau i se metotia e fa'aogaina e tagata osofa'i e fa'alavelave pe suia ai le amio a se telefoni feavea'i i le taimi e ta'avale ai. E aofia ai le fa'aofiina po'o le fa'apipi'i i le fa'atinoina o le fa'agaioiga o se app e mata'itu ai ana gaioiga, suia ana amio, tui fa'aleaga tulafono po'o le suia o galuega o lo'o i ai nei e fa'aoga ai fa'aletonu.
E ala i le faʻatinoina o faiga faʻapipiʻi i luga o polokalama, e mafai e le au atinaʻe ona taofia osofaʻiga o loʻo i luga mai le tupu ma puipuia le avanoa e le faʻatagaina, puipuia faʻagaioiga fefaʻatauaʻiga maualuga, iloa ma puipuia tampfaia ma suiga taumafaiga, fa'asao meatotino tau le mafaufau ma fa'amautu le fa'atuatuaina o le app.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻatinoina le faʻataʻitaʻigaampauala e fa'aitiitia ai osofa'iga fa'aoga:
· Fa'atino puipuiga e poloka ai tui fa'ailoga. · Fa'atino puipuiga e puipuia ai le fa'aogaina o metotia e ala i le puipuia o suiga i le app
source code (i luga o le kalani ma le server). · Fa'atino puipuiga e taofia ai le fa'atinoina o tulafono fa'atonutonu i lau app. · Fa'atino puipuiga e taofia ai le fa'aogaina o le manatua ma le fa'aogaina o mafaufauga mo lau app. · Fa'atino tamper resistant algorithms po o anti-tampSDKs (e masani ona ta'ua o
Taimi-Talosaga-Puipuiga SDKs). · Siaki mo faʻamaufaʻailoga le saogalemu e pei o API ua le toe aoga ma faʻamau.
O mea o loʻo i luga o ni nai faʻataʻitaʻigaampo su'ega fa'ata'ita'iga sili o lo'o fa'aogaina e le alamanuia. A'o fa'atupula'ia le si'osi'omaga o masini feavea'i, o nei siaki e ono tuai. O lea la, e tatau i tagata atia'e ona mulimulita'i i faiga aupito sili ona lelei a le alamanuia e fa'atino ai faiga fa'ato'a. Mea e tatau ona maitauina O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 135-140, 189,
318-319, 339-340, 390, 520. · MAS Technology Risk Management Guidelines (2021), i. 56. · ENISA Smartphone Secure Development Guidelines (2016), i. 23, 26.
43

RESILI-BP06
Pulea
O lo'o fa'atinoina e le app fa'alava, mamao viewfa'asagaga, ma fa'amalama fa'amalama.
Fa'amatalaga
O fa'amatalaga ma'ale'ale e mafai ona pu'eina pe fa'amaumau e aunoa ma le fa'atagaga manino a le tagata fa'aoga pe a iai se app e pu'e pu'eina, fa'amalama po'o le fa'apipi'i galuega. Mo exampLe:
· O osofa'iga fa'apipi'i e fa'a'ole'ole ai tagata fa'aoga e ala i le fa'atupuina o se fa'ailoga pepelo e fa'ata'ita'i ai polokalame fa'atuatuaina, ma fa'amoemoe e gaoi fa'amatalaga ma'ale'ale.
· Mamao viewO osofa'iga e aofia ai le le fa'atagaina o le fa'aogaina o le lau o se masini, fa'atagaina tagata osofa'i e selesele fa'amatalaga ma'ale'ale mamao.
· Fa'ata'ita'iga osofa'iga e tupu pe a pu'e e tagata fai mea leaga le lau o se masini e aunoa ma le fa'atagaga a le tagata fa'aoga, ma fa'ailoa mai fa'amatalaga ma'ale'ale.
Fa'atino fa'alava, mamao viewe mafai ona fa'amautu fa'amatalaga ma'ale'ale ma fa'ata'ita'iga fa'asaga i fa'amatalaga ma'ale'ale, fa'amautu le tagata fa'apitoa ma puipuia fa'amatalaga ma'ale'ale mai le leiloa po'o le fa'aoga sese.
Ta'iala fa'atinoga
E tatau i tagata atiaʻe ona faʻatinoina le anti-tampsiaki ma anti-malware e ala i le RASP SDKs e puipuia ai polokalama leaga mai le faʻaogaina o mea faʻapipiʻi, ma mamao viewi le fa'aogaina.
Mo fa'amalama, e mafai e tagata atia'e ona fa'aoga le fu'a FLAG_SECURE mo polokalama Android ma fu'a fa'apena mo iOS e poloka ai le fa'aogaina o fa'amalama pe a fa'aogaina le app. Ae peita'i, fa'apea o galuega fa'apisinisi e mana'omia ai le fa'amalama (fa'ata'ita'iga o le Pu'eina o se fa'amalama o se fefa'atauaiga o PayNow ua mae'a). I lena tulaga, o le fautuaga o le faʻamalo le gafatia o le faʻamalama mo lau poʻo itulau e aofia ai faʻamatalaga maʻaleʻale (PII ma Faʻamaumauga Faʻamaonia).
E mafai fo'i e le au atia'e ona mafaufau e fa'apipi'i fa'amatalaga ma fa'amatalaga ma'ale'ale ma mata'itusi pe a fa'asolo le app.
Mea e matau
O nisi exampo mea e fa'agata ai nei fa'amamafa fa'amalama e aofia ai ae e le fa'atapula'aina i: Itulau ulufale, itulau Fa'amaoniaga Fa'aopoopo, Fa'ailoga Puipuiga, ma itulau suiga PII, ma isi.
O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 166-168, 257,
259, 265-267, 366, 480-481. · MAS Technology Risk Management Guidelines (2021), itulau. 56. · ENISA Smartphone Secure Development Guidelines (2016), i. 8.
44

RESILI-BP07
Pulea
O lo'o fa'atinoina e le app le pu'eina o le pu'e po'o le kilogger e fa'asaga i kosi fa'amalo lona tolu.
Fa'amatalaga
O le pu'eina o le ki ma le keylogging o auala ia e fa'aogaina e tagata fai mea leaga e mata'itu ai, fa'amaumau, ma fa'amaumau ki oomi i luga o le piano e aunoa ma le iloa ma le fa'atagaga a le tagata fa'aoga. Ole mea lea e fa'ataga ai le fa'amauina ma le pu'eina o fa'amaumauga e ono ma'ale'ale (ie PII ma Fa'amaumauga fa'amaoni).
E ala i le faʻatinoina o le faʻaogaina o le keystroke ma keylogging countermeasures, e mafai e le au atinaʻe ona puipuia le leiloa le manaʻomia o faʻamatalaga maʻaleʻale. Aemaise lava, o lenei faʻatonuga o loʻo tulimataʻia masini Android, aua e mafai ona suia le komepiuta masani o masini Android. O ia suiga e mafai ona fa'aalia ai polokalame i fa'afitauli fa'aletonu ona o le ala fa'atuatuaina i le va o fa'aoga keyboard ma fa'aoga e iai vaega e le fa'atuatuaina i lo latou va.
Ta'iala fa'atinoga
E le tatau i tagata atia'e ona fa'ataga le fa'aogaina o keyboards ma'ale'ale isi vaega lona tolu e fa'aoga mo fa'aoga e ono iai fa'amatalaga ma'ale'ale. Saogalemu i-app masani keyboard e sili mo ia mea e fai.
E ala i le faʻatinoina o se piano i-app, e mafai e le au atinaʻe ona pulea le mea e alu i ai faʻamaumauga o faʻamaumauga ma faʻaitiitia ai le lamatiaga o le le saogalemu o le isi itu lona tolu keyboards e fai ma keyloggers e puʻeina ki.
Faatasi ai ma le faʻaogaina o keyboards i-app, e tatau i le au atinaʻe ona faʻatino fautuaga nei mo mea e manaʻomia ai faʻamatalaga maʻaleʻale (ie PII ma Faʻamaumauga Faʻamaonia): Faʻagata le saʻo saʻo, autofill, autosuggestion, tipi, kopi, ma faapipii mo galuega / poʻo polokalama e iai faʻamatalaga maaleale .
Mea e matau O nisi exampO galuega fa'atino e tatau ona fa'aogaina i-app keyboards e aofia ai ae le gata i le saini i totonu, ulufale i se OTP, po'o isi mea fa'amaonia, ma isi.
O lenei puipuiga malu ma faiga sili ona taulaʻi muamua i masini Android. O le sini autu o le faʻamautinoaina o le saogalemu o le ala faʻalagolago. Talu ai e le o saunia e le Android se auala e faʻamalosia ai le faʻaogaina o keyboards faʻapitoa / faʻalagolago, e tatau i tagata atiaʻe ona faʻaogaina se piano i-app e faʻamautinoa ai e le o loʻo faʻapipiʻi faʻamatalaga faʻamatalaga.
O le fa'atinoina o se fa'amaumau i-app keyboard e le fa'aitiitia ai fa'alavelave e feso'ota'i ma se masini fa'aletonu.
O lenei fa'atonuga saogalemu o lo'o fa'asino i isi tulaga. Fa'amolemole va'ai i pepa (s) o lo'o tu'uina atu i totonu:
· OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 (2023), itulau. 31. · OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 (2023), i. 203, 214-215,
257, 259, 400, 414-415. · MAS Technology Risk Management Guidelines (2021), itulau. 56. · ENISA Smartphone Secure Development Guidelines (2016), i. 08, 23.
45

Fa'asinomaga

S/N 1
2
3
4
5
6 7

Pepa OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0 OWASP Mobile Application Security Testing Guide (MASTG) v1.7.0 MAS Technology Risk Management Guidelines, PCI Mobile Payment Acceptance Security Guidelines v2.0.0 ENISA Smartphone Secure Development Guidelines Android Developers Apple Developer Documentation

Punaoa OWASP
OWASP
MAS
PCI-DSS
ENISA
Android Apple

Aso 2023
2023
2021
2017
2016
2024 2024

Pepa / Punaoa

CSA Safe Standard App [pdf] Taiala mo Tagata Fa'aoga
Safe Standard App, Safe Standard, App

Fa'asinomaga

Tusi Taiala

Safe Tulaga App

Fa'amatalaga o oloa

Fa'amatalaga

E uiga i le Tulaga

Fa'amoemoega, Va'aiga, ma Tagata Fa'amoemoe

Fa'asilasilaga ma le Fa'atonu Fa'atonu

Fa'amatalaga Fa'amaumauga ma Fa'asinoga Fa'atonu

Fa'atonuga o le Fa'aaogaina o Mea

Fa'amaoni

Pulea Puipuiga

AUTHN-BP01 – Fa'amaoni Fa'a-Fa'auiga (MFA)

Fa'atonuga o Fa'atinoga

Fesili e Fai soo (FAQ)

F: O le a le fa'amoemoe o le Safe App Standard a le CSA?

F: O ai le aofia fa'amoemoe mo le CSA's Safe App
Tulaga?

F: O a ni fa'amanuiaga ole fa'atinoina ole Multi-Factor
Fa'amaoni (MFA)?

Pepa / Punaoa

Fa'asinomaga

Tuu se faamatalaga

Fa'aleaogaina le tali

Safe Tulaga App

Fa'amatalaga o oloa

Fa'amatalaga

E uiga i le Tulaga

Fa'amoemoega, Va'aiga, ma Tagata Fa'amoemoe

Fa'asilasilaga ma le Fa'atonu Fa'atonu

Fa'amatalaga Fa'amaumauga ma Fa'asinoga Fa'atonu

Fa'atonuga o le Fa'aaogaina o Mea

Fa'amaoni

Pulea Puipuiga

AUTHN-BP01 – Fa'amaoni Fa'a-Fa'auiga (MFA)

Fa'atonuga o Fa'atinoga

Fesili e Fai soo (FAQ)

F: O le a le fa'amoemoe o le Safe App Standard a le CSA?

F: O ai le aofia fa'amoemoe mo le CSA's Safe App Tulaga?

F: O a ni fa'amanuiaga ole fa'atinoina ole Multi-Factor Fa'amaoni (MFA)?

Pepa / Punaoa

Fa'asinomaga

Fa'amatalaga Fa'atatau

Tuu se faamatalaga

Fa'aleaogaina le tali

F: O ai le aofia fa'amoemoe mo le CSA's Safe App
Tulaga?

F: O a ni fa'amanuiaga ole fa'atinoina ole Multi-Factor
Fa'amaoni (MFA)?