RBI Guidelines
The RBI Master Directions and Guidelines on Information Security and Cyber Resilience underscore the critical importance of mobile application security, given the rapid growth of digital banking, UPI, and mobile-based financial services. Mobile applications serve as a primary channel for customer interactions, transactions, and access to sensitive financial data, making them a high-value target for cyber threats such as malware, data leakage, account takeover, and transaction manipulation.
All RBI-regulated entities are required to adhere to these guidelines to ensure robust protection of customer data, secure transaction processing, and resilience against cyber incidents. The guidelines mandate the implementation of strong security controls across the application lifecycle, including secure development practices, runtime protection, continuous monitoring, and incident response. Compliance is mandatory and aimed at maintaining trust in the financial system, reducing fraud risk, and ensuring operational continuity. Non-adherence may lead to supervisory observations, regulatory action, and reputational impact for the regulated entity.
| # | Serial No. | RBI Guidelines | Checks present with Bugsmirror MASST |
|---|---|---|---|
| MOBILE PAYMENTS APPLICATION SECURITY CONTROLS ( CHAPTER - 4 ) | |||
| 1 | 55 | On detection of any anomalies or exceptions for which the mobile application was not programmed, the customer shall be directed to remove the current copy/ instance of the application and proceed with installation of a new copy/ instance of the application. | Bugsmirror Defender Detects Hooking and code injects attacks to anomalies or exceptions for which the mobile application was not programmed, and the customer gets warning to correct their device state. |
| 2 | 56.a | Device policy enforcement (allowing app installation/ execution after baseline requirements are met) | Bugsmirror Defender helps in Root detection, emulator detection etc., such that if the device state is incorrect and malicious |
| 3 | 56.b | Application secure download/ install; | Bugsmirror Defender doesn't allow APK sharing and only allows installation from trusted marketplaces. |
| 4 | 56.c | Deactivating older application versions in a phased but time bound manner (not exceeding six months from the date of release of newer version) i.e., maintaining only one version (excluding the overlap period while phasing out older version) of the mobile application on a platform/ operating system | |
| 5 | 56.e | Device or application encryption | Bugsmirror Guard for local data storage encryption and Bugsmirror Shield for source code encryption. |
| 6 | 56.d.f | Storage of customer data, Ensuring minimal data collection/ app permissions | (Client side solution hence stores no data) |
| 7 | 56.g | Application sandbox/ containerisation. | |
| 8 | 56.h | Ability to identify remote access applications (to the extent possible) and prohibit login access to the mobile application, as a matter of precaution; and | Bugsmirror Defender detects remote access in Android; additionally, it can detect remote access apps, it also detects accessibility permission. |
| 9 | 56.i | Code obfuscation. | Bugsmirror Shield encrypts code, protecting it from decompilation and reverse engineering by going beyond mere obfuscation. |
| 10 | 57 | REs may consider to perform validation on the security and compatibility condition of the device/ operating system and the mobile application to ensure that activities relating to the account are put through the mobile application in a safe and secure manner. | Bugsmirror provides static, runtime security assessment, api security reports on a quarterly basis and red teaming assessment on a half yearly basis. Bugsmirror Defender also helps in verifying device integrity helping in verifying device/ OS compatibility. |
| 11 | 58 | REs may explore the feasibility of implementing a code that checks if the device is rooted/ jailbroken prior to the installation of the mobile application and disallow the mobile application to install/ function if the phone is rooted/ jailbroken. | Bugsmirror Defender SDK detects rooted and jail broken devices after installation. |
| 12 | 59 | Checksum of the current active version of the application shall be hosted on a public platform so that users can verify the same. | In Android Bugsmirror Defender, we internally verifies the checksum at runtime, so that users don’t have to verify the same. |
| 13 | 62 | Applications must be able to identify connections from unsecured networks like unsecured Wi-Fi connections and must implement appropriate authentication/ checks/ measures to perform transactions under those circumstances. | (Bugsmirror Defender offers secure communication) Defender detects Unsecured Wifi, SSL stripping, Protects from MitM etc. |
| 14 | 64 | REs shall ensure that their mobile application limits the writing of sensitive information into ‘temp’ files. The sensitive information written in such files must be suitably encrypted/ masked/ hashed and stored securely. | Locally stored data through Bugsmirror Guard is encrypted |
| 15 | 65 | REs may consider designing anti-malware capabilities into their mobile applications. | Defender is a RASP solution for App Shielding. |
| 16 | 66 | REs shall ensure that the usage of raw (visible) SQL queries in mobile applications to fetch or update data from databases is avoided. Mobile applications should be secured from SQL injection type of vulnerabilities. Sensitive information should be written to the database in an encrypted form. | Locally stored data through Bugsmirror Guard is protected from SQL Injection |
| General Controls CHAPTER - 2 | |||
| Governance and Management of Security Risks | |||
| 17 | 5 | The Board/ Senior Management of REs shall have appropriate performance monitoring systems/ key performance indicators for assessing whether the product or service offered through digital payment channels meet operational and security norms. | ThreatLens Dashboard can act as a security performance indicator |
| 18 | 6 | As part of this process, the REs shall define product-level limits on the level of acceptable security risk, document specific security objectives and performance criteria including quantitative benchmarks for evaluating the success of the security built into the digital payment product or service, periodically compare actual results with projections and qualitative benchmarks to detect and address adverse trends or concerns in a timely manner and modify the business plan/ strategy involving the product, when appropriate, based on the security performance of the product or service. | ThreatLens Dashboard can act as a security performance indicator |
| Other Generic Security Controls | |||
| 19 | 13 | The communication protocol in the digital payment channels (especially over Internet) shall adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem. | Secure communication by BD |
| 20 | 18 | The mobile application and internet banking application should have effective logging and monitoring capabilities to track user activity, security changes and identify anomalous behaviour and transactions. | Bugsmirror Defender helps in identifying anomalous behaviour |
| Application Security Life Cycle (ASLC) | |||
| 21 | 20 | REs shall follow a ‘secure by design’ approach in the development of digital payment products and services. REs shall ensure that digital payment applications are inherently more secure by embedding security within their development lifecycle. | Bugsmirror Defender's and Bugsmirror Guard's compile time integration helps with implementing RASP and security at development level |
| 22 | 24 | REs shall conduct security testing including review of source code, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications to assure that the application is secure for putting through transactions while preserving confidentiality and integrity of the data that is stored and transmitted. | Bugsmirror provide Red teaming assessment and static and runtime security analysis, API Testing |
| 23 | 25 | REs may also run automated VA scanning tools to automatically scan all systems on the network that are critical, public facing or store customer sensitive data on a continuous/ more frequent basis. | Bugsmirror provide RunLock, code lock and APILock for automated static and dynamic mobile app scanning |
| 24 | 26 | REs shall compare the results from earlier vulnerability scans to verify/ ascertain that vulnerabilities are addressed either by patching, implementing a compensating control, or documenting and accepting the residual risk with necessary approval and that there is no recurrence of the known vulnerabilities. The identified vulnerabilities should be fixed in a time-bound manner. | We offer it by Bugsmirror Defender as a threat mitigation solution after VAPT testing. |
| 25 | 29 | REs shall institute a mechanism to actively monitor for the non-genuine/ unauthorised/ malicious applications (with similar name/ features) on popular app-stores and the Web and respond accordingly to bring them down. | Bugsmirror Defender offers its by App cloning feature |
| 26 | 30 | The server at the RE’s end should have adequate checks and balances to ensure that no transaction is carried out through non-genuine/ unauthorised digital payment products/ applications and the authentication process is robust, secure and centralised. | |
| 27 | 31 | REs shall refer to standards such as OWASP-MASVS, OWASP-ASVS and other relevant OWASP standards, security and data protection guidelines in ISO 12812, threat catalogues and guides developed by NIST (including for Bluetooth and LTE security), for application security and other protection measures. Such testing has to necessarily verify vulnerabilities including, but not limited to OWASP/ OWASP Mobile Top 10, application security guidelines/ requirements developed/ shared by operating system providers/ OEMs. | Bugsmirror Defender helps with MASVS regulation |