UAE Mobile Banking Security Mandates & CBUAE Controls
Regulator: UAE Central Bank (CBUAE)
Overview
The UAE Central Bank has established stringent mobile banking security requirements for licensed financial institutions. Banks and fintechs operating in the UAE must implement robust runtime protection, device binding, secure communications, and fraud detection capabilities across their mobile banking applications. MobAIsec maps APK assessments directly against CBUAE mobile security controls and MASVS categories to provide audit-ready governance evidence.
Mobile App Security Requirements
- Multi-factor authentication with step-up for high-risk transactions
- Certificate pinning and TLS 1.2+ for all API communications
- Root/jailbreak detection with graduated response policies
- Secure local storage with hardware-backed key protection
- Anti-tampering and integrity verification at runtime
- Screen capture and overlay attack prevention for sensitive flows
- Device binding and session management controls
- Comprehensive audit logging without PII exposure
Fraud Control Requirements
- Real-time behavioral analytics for transaction anomalies
- Device fingerprinting and trusted device enrollment
- Geolocation and velocity checks for authentication events
- SIM swap and call forwarding detection
- Biometric liveness detection for high-value transfers
MASVS Governance Mapping
| MASVS Control | Regulatory Requirement |
|---|---|
| MASVS-STORAGE-1 | Sensitive data encrypted at rest using platform keystore |
| MASVS-NETWORK-1 | All network traffic encrypted; no cleartext endpoints |
| MASVS-PLATFORM-2 | Root detection with appropriate risk-based responses |
| MASVS-CODE-3 | Anti-tampering and integrity checks implemented |
| MASVS-RESILIENCE-1 | Overlay attack detection for payment screens |
Common Violations
- Cleartext HTTP endpoints in production builds
- Missing or bypassable root detection
- Hardcoded API keys or secrets in APK
- Insufficient SSL pinning coverage
- Debuggable or backup-enabled release builds
Recommended Protections
- Deploy RASP with runtime integrity monitoring
- Implement certificate pinning with backup pin rotation
- Enable FLAG_SECURE on all sensitive activities
- Use hardware security module integration for key storage
- Establish continuous governance scanning in CI/CD pipeline
Frequently Asked Questions
What are the UAE Central Bank mobile banking security requirements?
CBUAE requires licensed institutions to implement strong authentication, encryption, fraud detection, and runtime protection in mobile banking apps. Requirements span network security, data protection, device trust, and incident response readiness.
How does MobAIsec assess UAE compliance?
MobAIsec analyzes APK artifacts against CBUAE control mappings, MASVS categories, and banking fraud control frameworks, producing governance scores and remediation evidence suitable for audit review.
Assess Your Banking APK
Upload your Android APK for a governance assessment mapped to this framework.