On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.
Driving force behind the consultation
The proliferation of apps (both in terms of variety of devices utilising them, as well as the various methods of downloading them) and the associated security risks were the driving force behind the call for views.
A review conducted by the government between December 2020 to March 2022 reveals that the key risks lie in the threat of malicious and insecure apps and the failures in meeting security and privacy best practices by some developers.
This review found that there are still a significant number of apps available to everyday users that are either insecurely developed or purposely malicious. The conclusions drawn from the review were that:
- developers are likely to not be following best practices when developing apps.
- all app stores share a common threat profile (with malware inside apps being the most prevalent risk).
- finally, that app store operators are not working with developers to signpost requirements or provide feedback when they reject apps.
Potential interventions
To tackle the above risks, the government is therefore consulting on a set of proposed measures which are: “proportionate, pro-innovation and future-facing”. The consultation forms part of the government’s National Cyber Strategy (here), aiming to protect and promote the UK online, and ensure citizens are secure and confident their data is protected.
The government noted that the more effective way of protecting users at scale would be by targeting the app stores and therefore, the main measure proposed by the government is a voluntary code of practice for app store operators and developers. Examples of requirements forming part of the proposed code of practice include:
- Apps store operators to have robust vetting processes in place for approving app submissions and remove apps that are identified as malicious.
- Every app to have a vulnerability disclosure process.
- Developers to keep apps updated to patch security vulnerabilities.
- Important security and privacy information to be presented in an accessible way.
- App stores to promote security and privacy best practices to developers.
Other supplementary measures include further tools and guidance from the UK Information Commissioner’s Office and building international consensus.
The government is particularly keen to gather views from developers on the reviews/feedback received when submitting or updating applications on different app stores.
Next Steps
The consultation runs until 29 June 2022 and depending on feedback, the code of practice could be issued later in 2022.