The UK government is asking the app industry to sign up to a new voluntary code of practice which is supposed to bolster security and privacy requirements on all apps and app stores available in the UK.
It claims that there is a ‘lack of rules governing the security of apps’ and that means apps riddled with filthy malware can be installed on people’s phones and leave them open to subsequent data and money theft, which prompted it to launch a ‘call for views’ earlier in the year on potential new rules to try and put a stop to all that.
As well as malware, the government also claims many people often do not know what data they are handing over and what is being done with it when they install some apps, which is no doubt true.
The government has apparently been reviewing app stores since December 2020, and has concluded that some developers are not following ‘best practice in developing apps’ while app stores ‘do not share clear security requirements with developers.’
The culmination of its pontificating and a period of listening to the views of anyone that offered them is a more fleshed out set of guidance for anyone involved in selling apps. They are published in full here, but a summarised version of what firms will be asked to do is below:
- Share security and privacy information in a user-friendly way with consumers
- Allow their apps to work even if a user chooses to disable optional functionality and permissions
- Have a robust and transparent app vetting process in place which ensures only apps which meet the code’s minimum security and privacy rules are published on their stores
- Provide clear feedback to developers when an app is not published on their store for security or privacy reasons
- Have a vulnerability disclosure process in place, such as a contact form
- Ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps
“More people are using apps to pay bills, play games and stay in touch with loved ones, with so much of our day-to-day activities now online,” said Cyber minister Julia Lopez. “Consumers should be able to trust that their money and data is in safe hands when using apps and these measures will not only boost our digital economy but also protect people from fraud. We’ve already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks we rely on. Today we are taking steps to get app stores and developers to keep customers even safer in the online world.”
Paul Maddinson, NCSC Director of National Resilience and Strategy added: “Our devices and the apps we rely on are increasingly essential to everyday life, and it’s important that developers and store operators take steps to protect users. By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps.”
This is all voluntary at the moment, and presumably app platforms and developers would say they are doing a lot of what is described already – it’s not as if the sector is a total wild west after all.
The government says it will work with operators and developers to support them with implementing the voluntary measures over a nine-month period, and says that includes companies such as Apple, Google, Amazon, Huawei, Microsoft, LG, Epic Games, Nintendo, Valve, Sony and Samsung.
So presumably it has already had some sort of conversation with those firms, unless it is just namechecking some big platforms in the space. Those that do step forward and adhere to the new rules will be allowed to declare they are doing so on their website or app – which might provide some form of minor motivation we suppose. The government is apparently talking to other countries about creating an international standard, proof of adherence to which would of course be a more significant thing to brag about. How easy it would be to set up is something else, though.
Of course while this is all voluntary it can’t really be said to be anything more than encouraged guidance. However the DCMS is also exploring what current laws could be extended to cover apps and app stores and whether regulation is needed to mandate the code in the future. I.e. – does all this need to be enforced for it to be effective? If the conclusion comes back as yes, that’s where this will all get a bit more real.
Taking measures to stop malware sneaking onto people’s phones is a goal that’s easy to get behind – however there is an underlying worry whenever the government piles into things which it seems ill equipped to understand on a very deep level, and if the debacle around the covid Track and Trace app is anything to go by, that includes the dynamics of the app sector.