IT Security Guidelines for Mobile Apps

The IT Security Guidelines for Mobile Apps of the National Cyber Security Centre of the Netherlands (NCSC-NL) help develop, maintain and publish apps for mobile devices more securely.

These guidelines are developed based on the SSD Standards for Mobile Apps by the Centre for Information Security and Privacy Protection (CIP). In this co-operation, the NCSC guidelines and CIP standards have been harmonised, making both publications identical to each other. The IT Security Guidelines for Mobile Apps are structured using the SIVA framework, similar to the IT Security Guidelines for Web Applications. The SIVA framework comprises three Domains for which guidelines are prescribed:

  • Policy Domain
  • Implementation Domain
  • Control Domain

For the guidelines for mobile apps, only the Implementation Domain is provided. The Policy and Control domains from the IT Security Guidelines for Web Applications are also applicable on mobile apps. The NCSC will publish the Policy and Control Domains for Secure Software Development as a separate, application independent product.

When the application on the server side of the app is a web application, these guidelines for mobile apps can be incorporated seamlessly into the guidelines for web applications, as the fifth Implementation Domain. The Policy and Control Domains are applicable to the full application landscape.