The Mobile Application Certification (MAC) Scheme is developed to strengthen the security posture of mobile applications across government, critical infrastructure, and commercial sectors in Malaysia. It provides formal assurance that an application has been assessed against defined security requirements, helping organisations reduce risks associated with data leakage, unauthorised access, and exploitation. This scheme ensures that mobile apps align with globally recognised standards, such as OWASP MASVS and NIST. Certification outcomes are based on structured evaluation levels, allowing app developers and owners to demonstrate their security readiness based on risk profile and intended use. By achieving MAC certification, organizations demonstrate their commitment to delivering trusted, resilient, and secure digital services — helping to build user confidence and support national cybersecurity goals.
Objective
The MAC Scheme aims to:
- Provide a trusted certification scheme that improves mobile app security, protects user data, and builds digital trust by applying internationally recognized mobile security standards.
- Mitigate security risks and vulnerabilities by enforcing rigorous testing and evaluation processes to identify and address potential threats before mobile applications are deployed in both public and private sectors.
- Encourage app developers to support regulatory compliance and industry best practices by adhering clear guidelines for mobile application security, ensuring alignment with Malaysia’s cybersecurity policies (Cyber Security Act 2024) and international security standards.
- Enhance consumer trust and confidence in mobile applications by providing a standardized certification framework that validates security measures and safeguards user data.
- Set a national benchmark on app security and help consumer identify trusted applications, building a safer digital ecosystem for the future
Certification Levels
The MAC Scheme offers three progressive levels of security assurance, tailored to the sensitivity of mobile app functions and data handling. Each level increases in depth, especially in categories such as authentication and financial transactions.
| Level | Description | Target Apps |
| Level 1 (L1) | Basic assurance — verifies minimal security requirements. No user login, authentication, or transaction handling involved. | Informational apps, low-risk apps |
| Level 2 (L2) | Intermediate assurance – includes L1 tests + additional focus on authentication and session management. | Apps requiring login, personal data handling |
| Level 3 (L3) | High assurance – includes L1 and L2 + comprehensive security tests, including full Transaction Security validation. | Financial, government, or high-risk/critical apps |
Note: Government apps may fall under different certification levels depending on their purpose and the type of data they handle. An app may qualify for Level 1 if it only provides public information, doesn’t require user login, and poses little risk if compromise. On the other hand, an app may qualify for Level 3 if it handles sensitive data such as IC numbers or health records, involves financial transactions or digital identity, or supports critical national services where a security breach could cause serious consequences.
Summary of Certification Levels
| Level 1 | Level 2 | Level 3 | |
| Security Depth | Basic | Intermediate | Advanced |
| Who should Apply | Public service info apps, promotional apps | Apps handling personal info (e.g., health, education) | Apps with financial, governmental, or critical operations |
How to Get Certified
To begin your MAC evaluation, please contact us at
PDPA
In no event will CyberSecurity Malaysia be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits resulting from the use or in any way connected with which may arise in connection with the provisions of the Services by CyberSecurity Malaysia.