UK to Place Security Requirements on App Developers and Store Operators

New proposals to establish security and privacy requirements for app store operators and developers have been published today by the UK government.

The code, which would be the first such measure enacted globally, would require app stores to have a vulnerability reporting process for each of their apps to ensure flaws can be found and fixed quicker. In addition, app developers and store operators would be obliged to share more security and privacy information in an accessible way, such as explaining why an app requires access to users' contacts and location.

All app stores for smartphones, game consoles, TVs and other smart devices making apps available to UK users would be asked to commit to the new code of practice. This includes tech giants like Apple, Google, Amazon, Huawei, Microsoft and Samsung.

The Department for Digital, Culture, Media and Sport (DCMS) is now inviting the tech industry to consult on the new security and privacy requirements. This call for views will run for eight weeks until June 29 2022, after which the government will review the feedback and publish its response later this year.

The plans are designed to provide better protections for app users, who have grown significantly since the start of the COVID-19 pandemic. A report published today by the National Cyber Security Centre (NCSC) found that people's data and finances are at growing risk from apps: both fraudulent apps containing malicious malware created by cyber-criminals and poorly developed apps with vulnerabilities that hackers are exploiting.

Additionally, a government review of app stores launched in December 2020 found that some developers fail to follow best security practices when creating apps, while well-known app stores do not share clear security requirements with developers.

UK Cyber Security Minister Julia Lopez commented: "Apps on our smartphones and tablets have improved our lives immensely – making it easier to bank and shop online and stay connected with friends.

"But no app should put our money and data at risk. That's why the government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age."

NCSC technical director Ian Levy said: "Our devices and the apps that make them useful are increasingly essential to people and businesses and app stores have a responsibility to protect users and maintain their trust. Our threat report shows there is more for app stores to do, with cyber-criminals currently using weaknesses in app stores on all types of connected devices to cause harm.

"I support the proposed Code of Practice, which demonstrates the UK's continued intent to fix systemic cybersecurity issues."

The proposals represent a component of the UK government's national cyber strategy, which aims to ensure digital products follow secure by design principles. This can be seen in the UK's Product Security and Telecommunications Infrastructure (PSTI) Bill, which is currently making its way through Parliament. This legislation will place new cybersecurity standards on manufacturers, importers and distributors of internet-connectable devices.

What’s Hot on Infosecurity Magazine?