Scheme: A scheme is a formal system with strict rules, processes, and certification to ensure compliance. For MAC, it defines the official standards for mobile app security.
Guideline: A guideline is advisory. It gives examples, tips, and best practices to help developers follow the scheme more effectively.
Analogy: Think of a scheme as the driving licence system (rules, tests, certification). A guideline is the driving handbook that helps you understand how to drive safely.
App stores (Google Play & Apple) mainly check for policy compliance and scan for obvious threats. These checks do not guarantee your app meets national security standards.
MAC Certification goes deeper:
Analogy: App store checks are like immigration control at the airport (basic ID verification). MAC is like customs inspection (thorough security audit).
Both improve app security, but they serve different purposes:
| Category | Mobile Penetration Testing (MPT) | MAC Certification |
|---|---|---|
| Objective | Find vulnerabilities through simulated attacks. | Prove compliance with certified security standards. |
| Approach | Red Team testing and runtime analysis. | Formal structured assessment by a certified lab. |
| Deliverable | Developer vulnerability report. | Official ISCB Certification Letter & audit checklist. |
| Recognition | Internal or organizational level. | National-level recognition (by CSM). |
| Use Case | Improves internal DevSecOps & reduces risk. | Enables compliance, public trust & eligibility for tenders. |
No. The MAC Scheme is not a full penetration test.
It includes penetration-like elements (e.g., code analysis, vulnerability checks), but the process is:
A full penetration test is open-ended and adversarial, while MAC is compliance-driven.
App updates are reviewed to ensure security compliance is maintained. A yearly re-test is mandatory.
Update Process:
Unit E-19-02,
Level 19, Icon Tower (East Wing),
No.1, Jalan 1/68F,
Jln Tun Razak,
55000 Kuala Lumpur, MALAYSIA