CYBERJAYA: CyberSecurity Malaysia (CSM) has introduced the Mobile Application Certification (MAC) scheme, which aims to validate and certify the security of apps in the country.
This covers apps across sectors, including both the government and private sectors, and even critical infrastructure, says CSM chief executive officer Datuk Dr Amirudin Abdul Wahab in an interview with LifestyleTech.
“Basically, it gives formal assurance that an app has gone through a proper security assessment – checking it against defined requirements to help reduce risks like data leaks, unauthorised access, or exploitation,” he says.
The MAC scheme is the result of a partnership between CSM and Total SE Solutions Sdn Bhd (TSE), which is a subsidiary of Zchwantech Cybersecurity Sdn Bhd. TSE is also a licensed cybersecurity service provider under CSM.
Amirudin adds that CSM would be positioned as an independent third party which would give assurance to such claims, and require developers to address vulnerability, gaps, and security oversights before they can be certified.
In the long run, he hopes that such certification will function as an indicator that an app is trusted and secure for the public, rather than having to rely on security claims from app-makers.
In the long run, Amirudin hopes that such certification will function as an indicator that an app is trusted and secure for the public, rather than having to rely on security claims from app-makers. — SAMUEL ONG/The Star
Apps validated under the scheme will be provided an official certificate, along with a logo that developers are encouraged to display within their apps or other promotional materials for better visibility to users.
Each following update after certification will also need to be submitted for certification in a process called “Maintenance” to ensure that the set security standards are still met.
In simple terms, Amirudin says that the scheme would be similar to halal certification. While a restaurant may be halal, having the certification and logo from the Department of Islamic Development Malaysia (Jakim) gives consumers confidence that it is officially recognised as such.
While the app certification process is currently not mandatory, Amirudin believes that it would help give Malaysians peace of mind that an app is certified as safe and secure for their use.
“Similarly, regardless of whether you are from the government, critical sectors, industry, private companies, et cetera, when there is an app being developed, it should go through this MAC scheme.
“This is so that there is formal assurance that it has gone through regular evaluation to ensure and give the level of confidence that it is trusted and secure,” he says.
As of publication, there are currently 10 mobile apps undergoing the certification process, which evaluates them based on a structured list of security requirements, encompassing data protection, authentication mechanisms, and resistance to common attacks.
Should the app meet the requirements, it will then be approved and certification will be issued. This process typically takes up to 60 days to complete.
“Similar initiatives have already been implemented overseas, including in Taiwan, where a similar approach has been used to enhance trust and security in mobile applications.
“The MAC scheme builds upon these international practices but is tailored to suit Malaysia’s local context and cybersecurity needs,” Amirudin says.
An official list of certified apps will be available on CSM’s Information Security Certification Body (ISCB) website.
He adds that the scheme’s assessment criteria is based on globally recognised standards set by bodies such as the Open Worldwide Application Security Project (OWASP) and the US National Institute of Standards and Technology (NIST).
Under the scheme, there are three different levels of certification, with categorisation and security requirements depending on the apps intended use.
“The first level, Level 1, focuses on the basic security features of mobile applications – things like general data handling and simple protections against common vulnerabilities.
“Then we have Level 2, which includes everything from Level 1, but adds stronger checks, especially around authentication and authorisation processes to make sure only legitimate useres can access sensitive parts of the app.
“And finally, Level 3 covers all the previous requirements and includes more advanced features such as secure handling of financial transactions, or other high-risk operations,” Amirudin says.
He stresses that developers have a tendency overlook the security aspect of things when creating apps. This could be due to being focused on adding functionalities, or lacking the expertise or knowledge.
This is where the presence of CSM and the MAC scheme can help cover those potential gaps in cybersecurity, Amirudin says, adding that he expects more critical and high-impact apps to go through the certification process over time.
“We want to help developers to understand the value of embedding this security into their mobile app in the early stage of the development process.
“It’s very important because sometimes people tend to forget security, and leave it as just an afterthought, which is wrong. It should be by design,” he says.
Currently, companies and app developers can apply for certification under the MAC scheme via email, with fees varying depending on the required certification level for a specific app.