Mobile App Security Testing in Singapore: iOS, Android & VAPT Requirements

Mobile app security testing in Singapore has become a compliance requirement for fintech and financial services firms, not just a security best practice. With Singapore's mobile banking penetration exceeding 90% and MAS expecting penetration testing to cover all customer-facing systems, a mobile app VAPT is no longer optional for regulated entities.

Firms commissioning mobile app security testing in Singapore must engage a CSRO (Cybersecurity Service Provider Regulation Order) licensed provider from CSA — this is a legal requirement under the Cybersecurity Act that applies to all VAPT engagements, including mobile.

The Mobile Threat Landscape in Singapore

Singapore's CSA Cybersecurity Health Report identifies mobile malware, phishing via mobile channels, and insecure mobile banking apps as persistent threats to Singapore consumers and businesses. For fintechs, the risks concentrate around:

• Insecure local data storage — sensitive data written to device storage in plaintext
• Weak cryptography — hardcoded keys, weak algorithms, or improper certificate validation
• Broken authentication — session tokens not invalidated on logout, no jailbreak/root detection
• Insecure API communication — missing certificate pinning, allowing man-in-the-middle attacks
• Client-side injection — allowing malicious input through deep links or inter-app communication
• Reverse engineering exposure — insufficient code obfuscation allowing attackers to extract secrets

OWASP MASVS: The Standard for Mobile Security Testing

The OWASP Mobile Application Security Verification Standard (MASVS) defines two levels of security requirements for mobile apps:

MASVS-L1: Standard Security

The baseline for all mobile apps. Covers fundamental controls: secure data storage, network communication security, authentication, cryptography, platform interaction security, and code quality. Every consumer-facing mobile app in Singapore should meet MASVS-L1 as a minimum.

MASVS-L2: Defence in Depth

Adds resilience controls including anti-tampering, certificate pinning, jailbreak/root detection, and runtime integrity checks. Required for high-value apps — mobile banking, payment wallets, and any app handling financial transactions. MAS TRM effectively expects MASVS-L2 controls for financial services apps.

MASVS-R: Resilience

Advanced anti-reverse-engineering controls. Relevant for apps where the business model or security depends on preventing decompilation and analysis of the client binary.

iOS Security Testing: What CREST Testers Cover

iOS security testing on a real device (or supervised emulator) covers:

• Data storage analysis — NSUserDefaults, Keychain, Core Data, SQLite databases, log files, and clipboard data for sensitive information exposure
• Network traffic analysis — using a proxy to intercept HTTPS traffic, validating certificate pinning implementation
• Authentication testing — session management, biometric authentication bypass, token handling
• Binary analysis — static analysis for hardcoded credentials, weak cryptographic implementations, and debugging artefacts
• Dynamic analysis — runtime manipulation using tools like Frida to test jailbreak detection and anti-tampering controls
• IPC and URL scheme testing — testing for injection via deep links and Universal Links

Android Security Testing: Key Differences

Android's open architecture presents a distinct set of vulnerabilities:

• Manifest analysis — exported activities, services, and content providers that can be exploited by malicious apps
• Intent injection — testing implicit intents for hijacking vulnerabilities
• Root detection bypass — verifying that root detection cannot be trivially bypassed using Magisk or similar tools
• Broadcast receiver security — testing for unprotected broadcast receivers that expose sensitive functionality
• WebView security — testing for JavaScript injection and cross-origin resource access in embedded WebViews
• Backup security — verifying that Android backup does not expose sensitive app data

Defining Your Mobile VAPT Scope

A mobile app security test should always include both the mobile client and its backend APIs. Testing the app in isolation misses the server-side vulnerabilities that the app communicates with — broken object-level authorisation, improper input validation, and authentication weaknesses at the API layer.

Your mobile VAPT scope should specify:

• Target platforms — iOS, Android, or both
• App version and build type — production equivalent build preferred
• Test environment — dedicated test environment with test accounts
• MASVS level targeted — L1 or L2
• Whether backend API testing is included
• Whether source code review (white-box) is in scope

Selecting a Mobile App Security Testing Provider

Mobile security testing requires specialist skills distinct from web application testing. When evaluating Singapore providers:

• Confirm CSRO licensing — a legal requirement for penetration testing service providers in Singapore
• Verify CREST accreditation and individual tester certifications (CCT APP or equivalent)
• Confirm experience with both iOS and Android platforms, not just one
• Ask for MASVS coverage mapping in the sample report — findings should map to specific MASVS controls
• Ensure backend API testing is offered as part of the engagement

Infinite Cybersecurity conducts mobile VAPT as part of comprehensive application security testing for Singapore's financial services sector. Our CREST-certified, CSRO-licensed team covers iOS and Android against OWASP MASVS L1 and L2, producing MAS TRM-aligned documentation. See our VAPT services or contact us to discuss your mobile security requirements.