Tech industry asked for feedback on measures to make the app market safer and more secure

DCMS Call for Views on plans to improve the security and privacy of apps and app stores.

Although millions of people use apps every day to shop, bank and make video calls, and the UK app market is worth £18.6 billion, there are few rules governing the security of the technology itself, or the online stores where the apps are sold.

The National Cyber Security Centre’s new report on the threats in application stores highlights that people’s data and money are at risk because of fraudulent apps with malicious malware created by cyber criminals or badly developed apps with software vulnerabilities that can be easily exploited by hackers. Therefore, to provide better protection for consumers, the government is calling for views from the tech industry on enhanced security and privacy requirements for both firms running app stores and developers making apps.

Under the new proposals, developers and app stores (for smartphones, game consoles, TVs and other smart devices) could be asked to commit to a new Code of Practice which will set out the baseline requirements for security and privacy.  To help ensure that app flaws can be found and fixed faster, the Code of Practice would require stores to have a vulnerability process for each app. They would also need to share security and privacy information in an accessibly way (including why an app needs access to users’ contacts and location).

This Call for Views – which runs until Wednesday 29 June 2022 – is part of the UK Government’s National Cyber Strategy and sits alongside other tough safeguards for the use of internet-connected devices. The intent is for the consultation document to be the beginning of a much more extensive dialogue between government, industry and international partners to ensure users can securely benefit from apps and make informed decisions on the permissions that they grant to apps.

The document sets out the relevant wider government activities that the proposals made feed into and align with, such as the Product Security and Telecommunications Infrastructure Bill, the National Data Strategy, GDPR, the Online Safety Bill and work to address potential imbalances in digital markets; the benefits and risks associated with the app ecosystem; the regulatory landscape and relevant antitrust cases; and the findings of DCMS’s review into app security and privacy.  

More on the proposed interventions

Although potential changes in the regulatory landscape (outlined in the document) are expected or indeed changes to the app ecosystem could happen, there are four key objectives that government wants to achieve for apps:

  1. Security (and privacy) is prioritised, thereby reducing the threat from malicious apps.
  2. Security and privacy information is clearly communicated and accessible to app users.
  3. Any future regulation that changes the app ecosystem should understand the impact of cyber security.
  4. Vulnerabilities, when detected in apps, are easily reported and quickly resolved to minimise the risk to users.

Government considered the above objectives alongside the following areas when developing the proposed interventions to determine if they would address the issues: effectiveness and measurability; burden on affected stakeholders; barriers to implementation; consistency with international approaches; and equity and impact (on consumers/competition impact on the market.

The Code of Practice

The main intervention that government is initially proposing is a voluntary Code of Practice which sets out practical steps for all app store operators and developers to protect users. This Code would then provide government with an opportunity to mandate the requirements at some point in the future if the risks from malicious/vulnerable apps can’t be mitigated through stakeholder action, of if the risk and threat landscape evolves such that this is necessary.

Although voluntary, the government would seek to put incentives in place to encourage adherence to the seven principles set out in the Code. Those principles are:

  1. Ensure only legitimate apps that meet security and privacy best practice are allowed on the app store.
  2. Implement vulnerability disclosure processes.
  3. Keep apps update to protect users.
  4. Provide important security and privacy information to users in an accessible way.
  5. Enterprise app stores shall be secured where provided.
  6. Promote security and privacy best practice to developers.
  7. Provide upfront and clear feedback to developers by app stores.  

The document also sets out accompanying interventions associated with the Code and the importance of international cooperation in app security so that app store operators are not burdened with having to tail their platforms and practices for many different countries.

You can access the full consultation document here.

techUK will be submitting a response to this Call for Views on behalf of members, so if you would like to provide input to this, please get in touch with Jill Broom via [email protected]

We are hosting a roundtable for members with DCMS on this Call for Views on Thursday 9 June - sign up to attend here!

Jill Broom

Jill Broom

Head of Cyber Resilience, techUK

Raya Tsolova

Senior Programme Manager, techUK