SEBI CSCRF Guidelines
SEBI CSCRF Guidelines: Mobile Application Security (Page- 102)
The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) places strong emphasis on Mobile Application Security due to the increasing reliance of SEBI-registered entities (REs) on mobile platforms for customer onboarding, transactions, and service delivery. Mobile applications have become a primary attack surface for cyber threats such as malware, reverse engineering, credential theft, fraud, and unauthorized access. Any compromise at the mobile layer can directly impact customer trust, financial integrity, and market stability.
SEBI-registered REs are required to follow these guidelines to ensure confidentiality, integrity, and availability of sensitive financial and personal data handled through mobile applications. The CSCRF mandates the implementation of preventive, detective, and corrective security controls to reduce cyber risk, prevent fraud, and strengthen overall resilience against evolving threats. Compliance is not optional; it is a regulatory requirement aimed at standardizing security posture across the ecosystem, minimizing systemic risk, and ensuring preparedness against cyber incidents. Failure to adhere to these guidelines may result in regulatory observations, audit findings, and potential enforcement actions by SEBI.
| S. No. | CSCRF Guidelines | Checks present with Bugsmirror MASST |
|---|---|---|
| a. | The mobile application shall perform root detection and root cloaking detection. The application shall not work on emulators or virtual devices. | 1. Root detection 2. Root cloaking 3. Emulators 4. Virtual devices |
| b. | Device Policy enforcement such as detection of developer option, USB debugging, Mock Location, time settings manipulation, etc. shall be configured. | 1. Developer option, 2. USB debugging, 3. Mock Location, 4. Time settings manipulation, |
| c. | Mobile application shall check new network connections or connections for unsecured networks like VPN connection, proxy and unsecured Wi-Fi connections. | 1. VPN connection, 2. Proxy 3. Unsecured Wi-Fi connections |
| d. | Mobile applications shall have anti-malware capabilities covering application spoofing, RAT, screen mirroring, overlay malwares, key loggers, tap jacking, etc. | 1. Application spoofing 2. Screen mirroring 3. Overlay malware 4. Key loggers 5. Tap jacking |
| e. | Controls to prevent reverse engineering and application tampering shall be implemented in the mobile applications. These controls shall also validate the signature during runtime for authenticity of the application. | 1. Reverse engineering prevention 2. Application tampering prevention 3. Validate the signature during runtime for authenticity of the application |
| f. | Mobile application shall perform checksum validation and the checksum of applications shall be published in public domain. | Checksum validation (Will be done through Bugsmirror Shield) |
| g. | Mobile application shall identify the presence of active remote access, screen mirroring,active voice call,alert users, etc.to prevent online frauds. | 1. Screen mirroring, 2. Active voice call |
| h. | OWASP –MASVS shall be referred for implementing mobile application security and other protection measures. | Bugsmirror Solutions are built for fulfilling OWASP -MASVS guidelines. |