Ensuring Mobile Security Compliance for Devices & Applications
As the use of mobile devices and applications becomes more widespread and integral, the need to secure these apps and devices against evolving threats has become vital. As a result, compliance regulations and standards have been developed to create security, consistency, and governance.
For business and government agencies around the world, complying with evolving, often overlapping regulatory mobile security standards and policies has never been more critical—or more difficult. Zimperium enables organizations to meet the leading industry and compliance standards.
Find out how Zimperium solutions help teams address these requirements.
PSD2 | Regulations for Payment Service Providers
The EU’s Payment Service Directive 2 (PSD2) was established to address several objectives, including standardizing rules around payment services, opening up payment markets to competition, and increasing the protection of consumers and their data.
The regulation applies to payment service providers (PSPs), such as banks, processors, and FinTechs, as well as merchants, and it covers all types of electronic and non-cash payments, including mobile and online payments. It is also important to recognize that it applies to any of these organizations that serve EU citizens, regardless of where they’re based.
The rules include strict security requirements for data protection, secure communication, and device and software integrity, and require that PSPs have mitigation mechanisms in place if the required security measures should fail. To comply with PSD2, PSPs and merchants need to establish stringent mobile app security standards.
Zimperium enables organizations to meet PSD2’s requirements for device and software integrity, secure communication, and data protection. Further, companies can address PSD2’s strong customer authentication requirements, which are vital in mitigating the risk posed by failures elsewhere in the security ecosystem.
PCI | Security Standards for the Payment Card Industry
The Payment Card Industry Data Security Standards Council (PCI SSC) defines the security standards for global payment account data security. These standards cover both the backend security through the PCI Data Security Standard (PCI DSS) and the various Software Point-of-Sale (SoftPOS) related security standards with:
- PCI Software-Based PIN entry on COTS (PCI SPoC), introduced in 2018
- PCI Contactless Payments on COTS (PCI CPoC), introduced in 2019
- PCI Mobile Payment on COTS (PCI MPoC), introduced in 2022
The existing PCI DSS standard applies to any organization that accepts, processes, stores, or transmits credit card information. In recent years, the use of mobile phones and tablets for contactless payments, authentication, and point-of-sale transactions has become commonplace—and PCI DSS applies to these scenarios.
The newest standard, MPoC, as published during November 2022 by PCI SSC is designed to support the future evolution of mobile payments and SoftPOS. The purpose of MPoC is to provide a modular, objective-based, security standard that will support various types of payment acceptance solutions and consumer verification methods on commercial off-the-shelf (COTS) devices. The goal is to create a flexible mobile standard and program for payment solution development, allowing for both PIN entry and contactless payments through the COTS-native interfaces. As MPoC introduces an attack resistance threshold for SoftPOS solutions, it’s vital for solution developers to select the right partner for their application protection.
Zimperium helps organizations secure mobile apps and devices, so they can safeguard payment data and comply with the various PCI regulations. Zimperium Mobile Threat Defense (MTD) – formerly known as zIPS – protects mobile devices used for transactions against device-level intrusion, network-based (or MITM) attacks, and unwanted application installs and malware, helping you meet the mobile mandates of PCI DSS requirements. Zimperium’s Mobile Application Protection Suite (MAPS) enables developers to build safe and secure mobile apps resistant against expert attacks. MAPS provides state of the art code obfuscation, runtime application protection, white-box cryptographic key protection, app scanning, and device attestation capabilities. MAPS is uniquely positioned to enable SoftPOS application developers to meet the mobile mandates of PCI SPoC, CPoC and MPoC requirements.
NERC | Critical Infrastructure Security Standard
North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards were established to regulate, monitor, and manage the security of the electric system in North America. It has grown increasingly commonplace for technicians to use mobile devices to service critical infrastructure. For NERC CIP compliance, these mobile devices should be considered endpoints, which means they need to be secured against a range of cyberattacks, including at the device, network, and application level.
With Zimperium solutions, utilities can effectively secure mobile apps and devices that are used to manage critical infrastructure. With Zimperium MTD teams can establish effective defenses against device, network, phishing, and malicious application threats. Just as next-generation antivirus solutions are employed to safeguard traditional endpoints, Zimperium MTD provides persistent, on-device protection for mobile devices and data. In addition, with Zimperium MAPS, teams can secure the mobile apps that are used to manage critical infrastructure.
ISO/SAE 21434 | Automotive Cybersecurity Standard
SAE International, in collaboration with the International Organization for Standardization (ISO), produced the ISO/SAE 21434 standard. Published in 2020, this represents the first automotive cybersecurity standard. ISO/SAE 21434 outlines the specific engineering requirements needed for establishing cybersecurity for road vehicles. The standard defines requirements for cybersecurity processes and common language for communicating about and managing cybersecurity risk. This standard applies to automotive components and interfaces and includes efforts for securing high-level processes in the design, manufacturing, maintenance, and end-of-life phases of vehicles.
As the use of mobile devices and apps to control automobiles grows increasingly ubiquitous, the need to secure these devices is essential. Quite simply, if threat actors can attack a mobile device or app connected to a car, they can potentially gain access to the car.
Zimperium brings advanced security protections to the mobile devices and mobile apps used by drivers. The company’s solutions provide real-time, on-device, machine-learning-based protection on Android, iOS, and Chromebook platforms. These solutions are powered by z9, a mobile threat defense engine that uses machine learning to deliver protection against device, network, phishing, and malicious app attacks.
HIPAA | Requirement to Secure Private Health Information & Communications
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established in the U.S. in order to provide standards for safeguarding medical information. Mobile devices and applications are increasingly being used by healthcare organizations to share and process medical data, and are vulnerable to a range of risks and threats. HIPAA has very specific mobile security compliance requirements. To comply with HIPAA, organizations managing protected health information (PHI) must safeguard their mobile apps and they must ensure end-user devices don’t leave sensitive data exposed.
With Zimperium solutions, healthcare providers can effectively secure mobile apps and devices that manage PHI. With Zimperium MTD, teams can establish effective defenses against device, network, phishing, and malicious application threats. Just as next-generation antivirus solutions are employed to safeguard traditional endpoints, Zimperium MTD provides persistent, on-device protection for mobile devices and data. In addition, Zimperium’s Mobile Application Protection Suite (MAPS) helps organizations secure mobile apps throughout the application lifecycle, from app development through running on end user mobile devices.
EMVCo | Security for Software-Based Mobile Payments
EMVco is responsible for managing specifications and testing programs to ensure card-based payment products work together seamlessly and securely. Today, this includes chip specifications, and technologies that support contactless payments, QR codes, and more.
In 2018, EMVCo introduced the Software-Based Mobile Payment program. This program is focused on testing mobile payment SDKs and wallets to ensure they meet security requirements. These requirements cover the protection of code, payment assets, and cryptographic keys. The program requires a range of mechanisms, including advanced obfuscation, anti-tampering, runtime protection, and white-box cryptography. Only solutions that have been evaluated by an accredited security laboratory and validated by EMVCo, are listed on the EMVCo website. By employing validated solutions, organizations gain the assurance that the integrity and confidentiality of mobile payment applications and data will be protected.
Zimperium offers advanced, comprehensive solutions that enable vendors to address a wide range of EMVco standards for mobile payment solutions. For example, Zimperium zShield hardens and protects mobile apps from attackers trying to inspect code and find vulnerabilities they can exploit. Zimperium zKeyBox leverages white-box cryptography to protect keys and secrets within mobile applications. Finally, Zimperium zDefend enables teams to safeguard mobile apps against evolving attacks, and ensure they remain compliant with EMVco standards. zDefend features an innovative software development kit (SDK) that is highly configurable, so teams can seamlessly embed Zimperium’s machine learning-based detection engine, z9, directly into mobile apps.
NIST SP 800-124 | Government Guidelines for Managing the Security of Mobile Devices
Issued by the National Institute of Standards and Technology (NIST), Special Publication 800-124 offers guidelines for managing the security of mobile devices in the organization. First unveiled in 2013, a final version of the second revision was released in 2023. The standard details the technologies and strategies that teams can use to safeguard against evolving threats. The standard offers mobile security guidance in such areas as mobile devices, centralized device management, mobile threat defense, and endpoint protection technologies, and looks at both organization-provided and bring-your-own-device scenarios.
The NIST 800-124 standard specifically recommends the use of mobile threat defense solutions, application vetting, and identifying vulnerabilities for app security analysts. With Zimperium’s advanced, comprehensive solutions, teams can establish strong defenses around mobile devices and mobile apps so they adhere to security standards like 800-124. Zimperium zShield hardens and protects mobile apps from attackers trying to inspect code and find vulnerabilities they can exploit; Zimperium zKeyBox leverages white-box cryptography to protect keys and secrets within mobile applications; and Zimperium zDefend enables apps to protect itself against evolving attacks.
For securing corporate- and employee-owned devices, Zimperium Mobile Threat Defense (MTD) offers comprehensive dynamic on-device detection across all four attack vectors: device compromises, network attacks, mobile malware, phishing, and eavesdropping – aligning to NIST guidelines. Zimperium’s Advanced App Analysis (z3A) increases visibility across mobile app vulnerabilities by offering advanced app vetting to analyze apps for security and privacy risks to an organization.
NDB | Australia’s Regulation for Protecting Personal Data
Since the introduction of Australia’s Privacy Act 1988, organizations that manage personal information must take all reasonable steps to prevent the unauthorized access or disclosure of that data. The Notifiable Data Breaches (NDB) requirement was introduced as an amendment to this rule, and provides detailed rules around the notification of affected individuals and the Office of the Australian Information Commissioner (OAIC) should any breach of personal data occur.
This kind of privacy regulation raises the stakes for organizations managing personal information of Australian citizens. In the event of a breach, they are exposed to the negative publicity of forced disclosures, and if an organization fails to comply, it may be subject to fines of up to AU$ 2.1 million. Mobile devices and applications increasingly manage sensitive personal information, and are proving to be vulnerable to breaches. As a result, establishing strong safeguards around mobile devices and apps is critical.
With Zimperium, organizations can establish robust security around their mobile apps and mobile devices that store or manage personal information. Zimperium’s Mobile Application Protection Suite (MAPS) enables teams to build secure and compliant mobile applications, combining comprehensive in-app protection with centralized threat visibility. With Zimperium MTD, security teams can leverage an advanced mobile threat defense solution that enables persistent, on-device protection on both corporate-owned and BYOD devices.
IRAP | Australian Program for Certifying Cybersecurity Assessors
The Information-Security Registered Assessor Program (IRAP) provides a foundation for independently assessing a systems security, against Australian government policies and guidelines. The assessment provides assurance of data security controls and procedures for federal, state, and local government entities – as well as critical infrastructure organizations. IRAP operates under the governance and administration of the Australian Cyber Security Centre (ACSC), and leverages the Information Security Manual (ISM) for specific guidance.
Zimperium initiated an IRAP assessment of its Mobile Threat Defense™(MTD) solution in a sovereign Australian data centre—enabling agencies and critical infrastructure organizations to seamlessly adopt mobile threat defense capabilities to detect mobile breaches and protect data. Zimperium’s investment in IRAP assessment emphasizes dedication to supporting the Australian government’s mobile cybersecurity capabilities. This is paired with Zimperium’s investment in AGSVA cleared specialists, a platform that aligns to the PROTECTED security classification, and a strong Australian partner ecosystem to deliver complex and integrated solutions to government agencies. Zimperium is reshaping mobile security for the government, ensuring maximum protection for Australia’s most sensitive data assets.
ISM | Cybersecurity Framework from Australia’s Government
The Information Security Manual (ISM) represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). The ISM’s objective is to outline cybersecurity mitigation strategies and controls organizations can implement, in conjunction with their risk management framework, to protect their systems and data from cyber threats. Similar to the Essential Eight (E8) mitigation strategies for Windows-based devices, the ISM’s Guidelines for Enterprise Mobility acknowledges mobile devices threats and recommends security controls.
Zimperium MTD closes the visibility gap on mobile, providing advanced detection capabilities beyond mobile device management (MDM) to identify and prevent mobile cyberattacks. Zimperium MTD enables organisations to better understand risk exposure and detect advanced exploits and attacks in a mobile-centric world. Powered by Zimperium’s On-Device Dynamic Engine, Zimperium MTD proactively:
- Analyses an organisation’s fleet of devices for misconfigurations (risk) and compromises
- Assesses all networks that personnel are connecting to
- Filters out unwanted or unapproved content categories and blocks phishing attacks from any vector (e.g., SMS, WhatsApp, Messenger) – not just email
- Vets iOS and Android mobile apps for security, privacy, and malware.
These capabilities allow for alignment to the ISM’s 40+ mobility security controls and for a structured risk-based approach to ACSC mobile compliance.
GDPR | EU’s Regulation for Protecting Personally Identifiable Information
The EU’s General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personally identifiable information (PII). The GDPR sets out the principles for data management and the rights of the individual, and it also holds organizations accountable by imposing fines for non-compliance. To ensure compliance, any mobile devices and applications containing or processing PII must be secured against exposure and theft.
Zimperium MTD is an advanced mobile security solution that enables persistent, on-device protection on both corporate-owned and BYOD devices. The Mobile Application Protection Suite (MAPS) from Zimperium helps organizations build secure and compliant mobile applications as well as protect mobile apps running end users’ mobile devices.
FedRAMP | Federal Government Certifications for Cybersecurity Vendors
Established in 2011, the Federal Risk and Authorization Management Program (FedRAMP) is focused on empowering federal government agencies to take a risk-based, cost-effective approach to adopting and using cloud services. FedRAMP offers a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
As federal agency employees continue to grow increasingly reliant upon their mobile devices to perform their daily responsibilities, the need to establish strong mobile threat defenses is paramount. To address this demand while maximizing efficiency and agility, it is more critical than ever to employ cloud-based mobile threat defense solutions that are FedRAMP approved.
Zimperium was the first mobile threat defense provider to be granted an Authority to Operate (ATO) status from FedRAMP. Zimperium’s mobile endpoint security solutions for federal agencies are deployed on the AWS GovCloud infrastructure. With Zimperium solutions, federal agencies can establish effective defenses against device, network, phishing, and malicious application threats. These solutions can detect threats on devices, even if devices are disconnected from trusted networks by a man-in-the-middle attack or rogue access point.