The government is today setting out plans for a voluntary code of practice governing operators of app stores, and the developers of the applications they make available, that will strengthen consumer protections against malicious software.
In what Westminster claims is a world’s first, the measures will include better reporting standards for software vulnerabilities, and more transparency for users on the privacy and security of the apps they download.
The UK app market is worth billions of pounds, and millions of people across the country use apps daily on smartphones, gaming consoles and smart TVs for a wide range of activities, such as work, communication, entertainment and banking.
However, as things stand, a lack of rules governing the security of apps and the app stores where they are accessed is putting at risk privacy and security by enabling cyber criminals to use malware to steal data and money, and mislead users. The government has been trying to get the industry to act on this for some time.
It said that too often, consumers were unable to make informed choices when downloading an app because important information, such as who would have access to their data, or where said data might end up being stored or processed, was not easily and clearly available to them.
“More people are using apps to pay bills, play games and stay in touch with loved ones, with so much of our day-to-day activities now online,” said cyber minister Julia Lopez.
“Consumers should be able to trust that their money and data is in safe hands when using apps and these measures will not only boost our digital economy, but also protect people from fraud.
“We have already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks we rely on. Today we are taking steps to get app stores and developers to keep customers even safer in the online world.”
Having made a call for views on the issue earlier this year, Westminster is now asking the app industry to sign up to the code, which contains three core commitments:
- To have a clear vulnerability disclosure reporting process for researchers and ethical hackers to report vulnerabilities to their developers.
- To ensure security updates and patches are properly and quickly highlighted to consumers.
- To provide security and privacy information to users in a way that is clear and easy to understand.
Developers will also have to undertake to ensure their apps continue to work even if consumers disable optional functionality of permissions, such as access to the device camera or microphone, or geolocation data; and to keep their apps up to date to minimise the possibility of compromise.
Meanwhile, app store operators will have to put in place a “robust and transparent” vetting process to ensure only apps that meet the code’s minimum level of compliance are made available in the UK; and to provide clear feedback to developers if their apps are not published for privacy or security reasons.
The government acknowledged that many developers and app store operators already follow some of these requirements. Those that sign up will further be able to demonstrate their compliance by declaring this on their websites or app stores.
It will now begin work with developers and operators – in scope are companies including Amazon, Apple, Google, Epic Games, Huawei, LG, Microsoft, Nintendo, Samsung, Sony and Valve – to implement the code, which could take up to nine months. At the same time the Department for Digital, Culture, Media and Sport (DCMS) will be working on the question of what current laws might be extended in future to cover apps and app stores, and if it may be necessary to make the code legally binding.
Paul Maddinson, National Cyber Security Centre (NCSC) director of national resilience and strategy, commented: “Our devices and the apps we rely on are increasingly essential to everyday life, and it’s important that developers and store operators take steps to protect users.
“By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps.”
Rocio Concha, Which? director of policy and advocacy, added: “Apps bring a lot of convenience to our everyday lives, but rogue apps making their way onto the biggest app stores are a security and privacy minefield – putting consumers at huge risk from data theft and scams.
“The government’s announcement of a new voluntary code is a positive step towards making apps more secure. The app market must now be monitored closely for improvements and to check whether tech firms are falling short in protecting consumers.”