Skip to main content

SEBI CSCRF Guidelines

SEBI CSCRF Guidelines: Mobile Application Security (Page- 102)

The SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) places strong emphasis on Mobile Application Security due to the increasing reliance of SEBI-registered entities (REs) on mobile platforms for customer onboarding, transactions, and service delivery. Mobile applications have become a primary attack surface for cyber threats such as malware, reverse engineering, credential theft, fraud, and unauthorized access. Any compromise at the mobile layer can directly impact customer trust, financial integrity, and market stability.

SEBI-registered REs are required to follow these guidelines to ensure confidentiality, integrity, and availability of sensitive financial and personal data handled through mobile applications. The CSCRF mandates the implementation of preventive, detective, and corrective security controls to reduce cyber risk, prevent fraud, and strengthen overall resilience against evolving threats. Compliance is not optional; it is a regulatory requirement aimed at standardizing security posture across the ecosystem, minimizing systemic risk, and ensuring preparedness against cyber incidents. Failure to adhere to these guidelines may result in regulatory observations, audit findings, and potential enforcement actions by SEBI.

S. No.CSCRF GuidelinesChecks present with Bugsmirror MASST
a.The mobile application shall perform root detection and root cloaking detection. The application shall not work on emulators or virtual devices.1. Root detection
2. Root cloaking
3. Emulators
4. Virtual devices
b.Device Policy enforcement such as detection of developer option, USB debugging, Mock Location, time settings manipulation, etc. shall be configured.1. Developer option,
2. USB debugging,
3. Mock Location,
4. Time settings manipulation,
c.Mobile application   shall check new   network   connections   or   connections   for unsecured networks like VPN connection, proxy and unsecured Wi-Fi connections.1. VPN connection,
2. Proxy
3. Unsecured Wi-Fi connections
d.Mobile applications shall have anti-malware capabilities covering application spoofing, RAT, screen mirroring, overlay malwares, key loggers, tap jacking, etc.1. Application spoofing
2. Screen mirroring
3. Overlay malware
4. Key loggers
5. Tap jacking
e.Controls   to   prevent   reverse   engineering   and application tampering   shall   be implemented   in   the mobile applications. These   controls shall   also   validate   the signature during runtime for authenticity of the application.1. Reverse   engineering prevention
2. Application tampering prevention
3. Validate   the signature during runtime for authenticity of the application
f.Mobile application   shall   perform   checksum   validation   and   the   checksum   of applications shall be published in public domain.Checksum validation (Will be done through Bugsmirror Shield)
g.Mobile application   shall   identify the presence   of   active   remote   access,   screen mirroring,active voice call,alert users, etc.to prevent online frauds.1. Screen mirroring,
2. Active voice call
h.OWASP –MASVS shall be referred for implementing mobile application security and other protection measures.Bugsmirror Solutions are built for fulfilling OWASP -MASVS guidelines.