Government Sets Out New Rules to Enhance App Security
The UK government has thrown down the gauntlet to app store operators and developers, requesting they sign up to a voluntary code of conduct designed to enhance user security and privacy.
In what it described as a “world-first” today, the Department for Digital, Culture, Media and Sport (DCMS) said the rules would help to reduce consumers’ exposure to malicious and bug-ridden apps.
The code will stipulate that app store operators and/or developers:
- Share security and privacy information in a user-friendly way with consumers, such as where user data is stored and when the app was last updated
- Allow their apps to work even if a user chooses to disable optional functionality and permissions, such as location tracking
- Have a “robust and transparent” vetting process to ensure only apps that meet a minimum security and privacy baseline are published
- Provide clear feedback to developers when an app is not published on their store for security or privacy reasons
- Have a vulnerability disclosure process, such as a contact form
- Ensure developers keep their apps up to date to reduce the number of vulnerabilities
The government acknowledged that many app store operators and developers already adhere to many of these rules. However, it will also look at where current laws may need to be tweaked and/or where regulation is needed to improve security in the industry.
Over the coming nine months, the DCMS will work with companies such as Apple, Google, Amazon, Huawei, Microsoft, LG, Epic Games, Nintendo, Valve, Sony and Samsung to help them implement the code.
“Apps bring a lot of convenience to our everyday lives, but rogue apps making their way onto the biggest app stores are a security and privacy minefield – putting consumers at huge risk from data theft and scams,” argued Which? director of policy and advocacy, Rocio Concha.
“The government’s announcement of a new voluntary code is a positive step towards making apps more secure. The app market must now be monitored closely for improvements and to check whether tech firms are falling short in protecting consumers.”
Although designed for consumers, the new rules could also enhance corporate security by ensuring BYOD devices are better insulated from app-based risks. However, threats may persist from some third-party app stores hosted outside the UK.