The UK government is requesting that that the app industry signs up to a new code of practice to boost security and privacy requirements on all apps and app stores available in the UK. The voluntary code of practice comes following a public call for views from earlier this year and includes requiring app companies to implement effective software vulnerability reporting processes.
The UK government’s Department for Digital, Culture, Media, and Sport (DCMS) said it will work with leading operators and developers including Apple, Google, and Amazon to support them with implementing the voluntary code over a nine-month period. It will also explore what current laws could be extended to cover apps and app stores and whether regulation is needed to mandate the code both in the UK and overseas.
App store operators, developers must have clear vulnerability disclosure processes
According to a DCMS press release, under the code, app store operators and developers will be required to:
- Share security and privacy information in a user-friendly way with consumers. Examples include when an app is made unavailable on an app store, when an app was last updated, and the locations where users’ data are stored and processed for each app.
- Allow their apps to work even if a user chooses to disable optional functionality and permissions, such as preventing the app accessing a microphone or knowing a user’s location.
- Have a robust and transparent app vetting process in place which ensures only apps which meet the code’s minimum security and privacy rules are published on their stores.
- Provide clear feedback to developers when an app is not published on their store for security or privacy reasons.
- Have a vulnerability disclosure process in place, such as a contact form, so software flaws can be reported and resolved without being made publicly known for malicious actors to exploit.
- Ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps.
Whilst many developers and operators already follow some of these requirements, those which adopt the code will be able to demonstrate they’re following its principles by declaring this on their company website, app website or app store, DCMS added.
App developers, operators must take steps to protect users
Commenting on the new code of practice, cyber minister Julia Lopez said, “More people are using apps to pay bills, play games, and stay in touch with loved ones, with so much of our day-to-day activities now online. Consumers should be able to trust that their money and data is in safe hands when using apps and these measures will not only boost our digital economy but also protect people from fraud. Today we are taking steps to get app stores and developers to keep customers even safer in the online world.”
Paul Maddinson, director of national resilience and strategy at the UK’s National Cyber Security Centre (NCSC), added that as devices and apps become increasingly essential to everyday life, it’s important that developers and store operators take steps to protect users. “By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps.”