The voluntary code of practice for app developers and operators will protect the UK’s app market, with the mobile app market alone generating more than £74 billion in revenue last year.
The new measures include requiring apps to have a process so that security experts can report software vulnerabilities to developers, making sure security updates are highlighted properly to users and that security and privacy information is provided to users in a clear and easy-to-understand way.
“Consumers should be able to trust that their money and data is in safe hands when using apps and these measures will not only boost our digital economy but also protect people from fraud,” says cyber minister Julia Lopez, “we’ve already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks we rely on. Today we are taking steps to get app stores and developers to keep customers even safer in the online world.”
The government will work with operators and developers to support them with implementing the voluntary code over a nine-month period. This includes companies such as Apple, Google, Amazon, Huawei, Microsoft, LG, Epic Games, Nintendo, Valve, Sony and Samsung.
Alongside this, DCMS will work to explore what current laws could be extended to cover apps and app stores and whether regulation is needed to mandate the code in the future.
Under the code, app store operators and developers will need to:
-
Share security and privacy information in a user-friendly way with consumers. Examples include when an app is made unavailable on an app store, when an app was last updated and the locations where users’ data are stored and processed for each app.
-
Allow their apps to work even if a user chooses to disable optional functionality and permissions, such as preventing the app accessing a microphone or knowing a user’s location.
-
Have a robust and transparent app vetting process in place which ensures only apps which meet the code’s minimum security and privacy rules are published on their stores.
-
Provide clear feedback to developers when an app is not published on their store for security or privacy reasons.
-
Have a vulnerability disclosure process in place, such as a contact form, so software flaws can be reported and resolved without being made publicly known for malicious actors to exploit.
-
Ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps.
Many developers and operators already follow some of these requirements and those which adopt the code will be able to demonstrate they’re following its principles by declaring this on their company website, app website or app store.
The government is collaborating with international partners to develop international support for the code and will explore the possibility of creating an international standard for apps and app stores.
The new voluntary rules are part of the government’s £2.6 billion National Cyber Strategy which aims to protect and promote the digital economy, strengthen the UK’s cyber resilience and ensure businesses have the best security standards in place to protect their users?
