Consultation outcome

App security and privacy interventions

Updated 9 December 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/consultations/app-security-and-privacy-interventions/app-security-and-privacy-interventions

Foreword

A picture of Julia Lopez MP, Minister for Media, Data and Digital Infrastructure

Julia Lopez MP, Minister of State for Media, Data and Digital Infrastructure

Apps play an increasingly important role in everyday life, from managing your finances to catching up with friends and family. Thanks to apps, a world of functionality can be accessed from a single device, anywhere and at any time: whether from a mobile phone out in public or on a smart TV in the comfort of your home. Apps have helped us stay connected with our loved ones and continue working during the COVID-19 pandemic. In a time of great uncertainty, apps have allowed businesses to continue functioning as well as opening the virtual doors for new enterprises. This has increased our reliance on apps, as well as the app stores where we access them.

Given this reliance, it’s vital that apps are secure, to protect the data and privacy of individuals and organisations. Developers therefore have a responsibility to ensure that they are creating apps with appropriate security and privacy. App stores can also serve as trusted digital marketplaces, as long as they have the right processes to check that apps are not a risk to users’ security and privacy. While many app stores have vetting and review processes, malicious and insecure apps continue to make it onto some stores. Given our growing reliance on apps, we need to ensure that we are managing the risks if we are to securely reap the many benefits of apps and app stores.

A key ambition of our new National Cyber Strategy published in December 2021, is to ensure citizens are more secure online and confident their data is protected. This work will help deliver this through improving the practices of major providers of digital services, specifically app store operators (as well as developers). Additionally, as set out in the Plan for Digital Regulation, we will ensure our overall approach to governing digital technologies is proportionate and supports growth and innovation within the sector. The Government will also ensure that developments in this area coordinate and mutually reinforce other work associated with app security and privacy.

The interventions suggested in this document include a voluntary Code of Practice for App Store Operators and Developers that is intended as a first step. Other options we could take forward if needed in the future, include certification for app store operators and regulating aspects of the Code to help protect users. These proposals link into the National Cyber Strategy through requiring providers of digital services to meet appropriate standards of cyber security and developing frameworks to secure future technologies.

Guided by the Plan for Digital Regulation’s focus on coherence, these proposals complement work that is already happening across Government to help protect users that rely on various digital services and technology. This includes the Online Safety Bill which will ensure that the UK is the safest place in the world to be online while defending free expression and the Product Security and Telecommunications Infrastructure Bill, which will protect the security of consumer connectable products, and their users.

The Government is also creating the pro-competition regime for digital markets, which will introduce new rules to ensure digital consumers and businesses are treated fairly and level the playing field so that new and innovative tech firms can flourish. The Competition & Market Authority’s market study into Apple and Google’s mobile ecosystems and their interim report published on 14 December 2021 will inform the design of the new pro-competition regime for digital markets.

I welcome your views on the proposed interventions set out in this document. Your views will help shape UK Government policy over the coming years and allow both consumers and businesses to reap the many benefits from apps. This will help make the UK a stronger and more secure place for people and businesses.

Julia Lopez MP

Minister of State for Media, Data and Digital Infrastructure

Department for Digital, Culture, Media and Sport

Executive summary

Apps are increasingly essential to everyday life as they provide users with the ability to access important services using various devices, such as smartphones, game consoles, fitness devices and smart TVs. They can be downloaded through various methods, including from app stores operated by either the official software supplier or manufacturer of a device and those operated by third parties. It’s vital that apps are built to security and privacy best practice to protect the data and privacy of individuals and organisations.

Developers therefore have a clear responsibility to ensure that the apps they create are built with appropriate security and privacy. App stores can play an important role through the checks they put in place to help protect users from malicious and poorly developed apps. They also can act as a trusted digital marketplace, where steps are taken to ensure that users can benefit from the extensive variety of apps, which range from banking to games to health-related apps. Their role is equally important because the vast majority of users, particularly on mobile platforms, download apps via these app stores.

Across the globe, there are a growing number of regulatory initiatives focusing on mobile app stores which could result in third party app stores being obtainable on iOS devices and more accessible on Android devices. The above activities may increase the risk to app users if third party app stores do not have robust processes, such as on vetting or transparency around permission requests. There have also been significant instances where malicious apps have been available to download on app stores thereby putting users’ security and privacy at risk.

The UK government therefore conducted a review from December 2020 to March 2022 into the app store ecosystem, with the aim of reducing the threat of malicious and insecure apps to protect users whilst helping developers meet security and privacy best practice. This review sits alongside broader efforts across government focused around creating an innovative and thriving digital economy in the UK while ensuring that users are able to securely benefit from any potential changes to the app store ecosystem.

Our recent consultation on the pro-competition regime for digital markets proposed new rules for the most powerful firms to ensure consumers and businesses are treated fairly, and a level playing field where innovative tech firms can flourish. The design of this regime will also be informed by the Competition & Market Authority’s market study into Apple and Google’s mobile ecosystems and their recent interim report published on 14 December 2021.

The review found that malicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps. All app stores share a common threat profile with malware contained within apps the most prevalent risk. Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.

This government’s intention is to take forward a robust set of interventions to ensure consumers are protected from online threats which are proportionate, pro-innovation and future-facing - in alignment with the principles set out in the Plan for Digital Regulation. The review therefore explored various options to address the above challenges. The main intervention we are proposing at this initial stage is a voluntary Code of Practice for all app store operators and developers. This is because we recognise that currently the most effective way of protecting users at scale from malicious and insecure apps, and ensuring that developers improve their practices is through app stores.

A Code would provide the government with an opportunity to mandate the requirements in the future should the risks arising from malicious and insecure apps not be mitigated through stakeholder action, or should the risk and threat landscape evolve such that this is necessary. A full draft of the proposed Code is provided in Chapter 6. This section also outlines other interventions we have identified that may help drive adoption among operators and developers. We will continue to keep these under review.

This publication is intended as the starting point of a much more extensive dialogue with our stakeholders, including industry and international partners. We are now holding a Call for Views for eight weeks until Wednesday 29 June 2022 to help gather feedback on the proposed interventions, including the draft Code of Practice. The feedback will be used to help inform UK government policy and our next steps. Depending on the feedback received, we may look to publish the Code later in the year, alongside exploring and taking further other interventions outlined in this report.

Protecting users from malicious and insecure apps is a global concern. We have engaged with our international partners as part of this review to share evidence, and we will continue to do so as part of efforts to create international alignment in this area.

1. DCMS review into app security and privacy

Background and scope of the review

1.1 Applications, or apps, provide users with a way of enhancing the functionality of a range of devices, including mobile devices, voice assistants, gaming consoles, smart TVs and smart wearables.[footnote 1] Some apps can be downloaded for free while others are purchased for a fee. Where apps are freely available, they may be monetised in other ways, such as through in-app purchases (including subscriptions) or revenue from in-app advertisements. Apps are typically downloaded via app stores.[footnote 2] Consumers can use both official app stores, which are provided by either the software supplier or manufacturer, and stores provided by third parties.[footnote 3]

1.2 Apps benefit consumers by providing additional functionality to their devices. This includes services that are increasingly important for everyday life, such as accessing NHS data and banking. The benefits of apps are enhanced through app stores, which can serve as centralised and trusted locations where consumers are able to download a vast variety of apps that may have been subjected to vetting before being made available. The app store ecosystem also benefits enterprises and the UK economy through allowing companies to diversify their services through apps and by supporting an app development industry. These benefits are laid out in full in Chapter 3.

1.3 However, there can be risks from downloading apps. Malicious apps continue to make it onto stores, thereby highlighting that many app stores’ review processes are not sufficient.[footnote 4] Meanwhile, app developers with no malicious intentions are likely developing apps that don’t adhere to security and privacy best practice because many apps stores currently place the onus on developers to find this information for themselves. As for third party app stores, some are failing to impose robust vetting procedures or provide security or privacy requirements altogether.

1.4 The risks, outlined in greater detail in Chapter 3, include risks to users’ security and privacy, such as the exposure of sensitive personal data. In turn, these risks can translate into financial harms. The government has therefore undertaken a review into app security, app privacy and the app store ecosystem, which ran from December 2020 to March 2022, with the aim of reducing the threat of malicious and insecure apps to protect users, as well as helping developers meet security and privacy best practices.[footnote 5]

1.5 The review examined security and privacy for two reasons. Firstly, app store operators’ documentation for developers on each specific app feature (such as encryption, obfuscation etc.) don’t separate out the security and privacy requirements. Secondly, the issues in one area can impact the other. For example, a vulnerability in an app is both a security and privacy risk if it can enable malware to infect a user’s device and steal the victim’s personal data.[footnote 6]

1.6 DCMS has looked at a range of app stores in order to understand if specific government intervention is needed for different categories of app stores.[footnote 7] To that end, we have considered the responsibility currently placed on stakeholders in the ecosystem, namely app store operators, developers and users. Our evidence gathering has particularly focused on the mobile ecosystem due to the current threats facing it and the potential for future regulation which could dramatically change the landscape (see Chapter 4 for more information).

Rationale for the review

1.7 There are various drivers and barriers faced by operators and developers to ensure that apps have appropriate security and privacy features. App store operators have many different responsibilities when it comes to apps, including creating requirements for reviewing apps and checking if an app conforms to country regulations and is not a risk to users. These actions must be considered within the context of the financial incentives that come from being an app store operator. This includes the commissions received when customers use the app store’s in-app payment system and/or advertising on app stores.[footnote 8] Therefore, there is a significant benefit to an operator approving apps that don’t meet best practice because there is a likelihood of receiving more commissions and advertising requests. This needs to be considered alongside the potential reputational damage that could stem from allowing apps with malware on app stores which result in cyber attacks on customers or the exposure of users’ private data.

1.8 Developers typically seek to create and get their apps onto the app stores as quickly as possible due to the desire to be the first to market and because many companies rely on the revenue from in-app purchases. Yet it is important that developers still meet security and privacy best practices during the development process, and that app stores facilitate this through providing clear and upfront information on their security and privacy requirements.

1.9 In terms of app users, app store operators have significant freedom in deciding what information about an app is provided to users. Some only disclose ratings or reviews, which cannot always be verified, whereas others provide significant information, including the privacy permissions requested by an app. As a result, an information asymmetry situation has arisen in which various parties have significantly more information than others. Specifically, those creating or distributing apps possess more information around the level of cyber security associated with the app and the permissions it uses than the customers of the app store. Yet many users are putting trust into app stores (as well as the devices they buy) with the expectation that security and privacy are built into apps and devices before they come to market.

1.10 As set out above, although apps bring significant benefits to app stores and users, the ecosystem has reached a point where malicious and insecure apps are frequently identified. These include security and privacy risks, such as the loss of personal data, which are described in more detail in Chapter 3. Moreover, the issues around information asymmetry and ensuring that relevant stakeholders have more access to information is an area that requires government intervention to set out what best practice is in this area. The government has therefore conducted a review to determine how we and industry can better reduce the threat of malicious and insecure apps and help developers meet security and privacy best practices.

1.3 Process for conducting the review

1.11 Over the course of the review, the government has taken an evidence-based approach supported by engagements with stakeholders. The stakeholders included consumer groups, academics, tech experts, industry organisations, app store operators, mobile security companies and developers. We also conducted engagements with experts in the area to test the definitions and scope of the review as well as the proposed interventions outlined in this document to further inform the government’s policy development.

1.12 The focus of the review, including the compilation of evidence, has consisted of three parts. Firstly, we have evaluated what security and privacy risks are currently faced by users of app stores. Secondly, we have assessed whether the responsibilities for the security and privacy of apps are distributed appropriately across the relevant stakeholders, such as app store operators, developers and users to ascertain if there is any bad practice. Lastly, the government gathered information on the full lifecycle of an app’s creation (from development to availability on app stores) to assess any issues within the process. This approach has ensured that all the proposed interventions outlined in this document are grounded in evidence.

1.13 One of the challenges when carrying out this review was being able to monitor constant changes to the ecosystem, predominantly by app store operators. Various evidence was compiled based on information available in the public domain. To ensure that the most recent information was gathered, the requests for information from app store operators regarding their vetting processes were carried out in the latter part of the review to ensure outcomes reflect the present environment as far as possible. The review also identified that there was a lack of data that examined app store operators’ practices. Based on discussions with leading academics in this field, the reasons for this have mainly been due to a lack of access to relevant data. This review has sought to address this lack of data and to that end, has published various accompanying evidence papers that informed this review.[footnote 9]

1.14 This document is intended as the start of a much more extensive dialogue with industry and international partners to ensure that users can securely benefit from apps and make informed decisions on what permissions they grant to apps. The evidence (set out in Chapter 5) has clearly shown that government, industry, operators and developers have an important role to play in protecting users from malicious and insecure apps. Details of our proposed interventions, including a voluntary Code of Practice for App Store Operators and Developers, are set out in Chapter 6.

1.15 We are now conducting a Call for Views for eight weeks which provides an opportunity for stakeholders to submit feedback on the document’s proposals. Various mechanisms have been set out to ensure that a wide variety of organisations and interested parties are able to provide comments on the review’s findings and proposed interventions (further details are outlined in Chapter 7).

1.16 This work should be considered within the wider context of the government’s efforts on cyber security, as well as the current threat landscape and the potential of future regulation. The next chapter provides an overview of other government activity linked to apps and app stores, with sections on security, privacy, safety and digital markets.

2. Relevant wider government activities

The cyber security context

2.1 This review sought to deliver an objective in the new National Cyber Strategy in which providers of digital services, including app stores, meet appropriate standards of cyber security, helping to protect organisations and consumers from cyber threats.[footnote 10]

2.2 The government is also committed to encouraging digital innovation, while ensuring that citizens and organisations can continue to safely use technology. It is therefore important that this review is not be looked at in isolation, but rather as a part of a much more comprehensive set of activity across the government. The following sections outline the main supporting activities across the government, specifically in the areas of security, privacy, safety and digital markets.

Supporting government activity

2.3 This review into app security is part of a wider set of government activity addressing security, including in relation to apps and app stores. For example, the government has published the Product Security and Telecommunications Infrastructure Bill for consumer connectable products that will mandate baseline security requirements for these products.[footnote 11] These requirements must relate to connectable products, and be for the purpose of protecting or enhancing the security of these products or their users. These security requirements may relate to software downloadable from an app store and installable on the connectable product, or a product other than the connectable product in question, such as a companion mobile application for a smart speaker. Security requirements may relate to (among other things):

  • any software used for the purposes of, or in connection with, the operation of a connectable product;
  • any software used by a person in the course of, or in connection with, using a connectable product; and
  • any software used for the purposes of providing a service to a person by means of a connectable product

2.4 In addition to security, the review has also incorporated privacy within its scope. Where app store operators process personal data, the requirements set out in the Data Protection Act 2018 and UK General Data Protection Regulation apply to them. For example, where an app store operator decides what data is processed and why in connection with its service, it will be a controller for that processing.

2.5 As set out in the National Data Strategy, the government is also undertaking work to ensure that data and its supporting infrastructure is secure and resilient in the face of established, new and emerging risks, protecting the economy as it grows.[footnote 13]

2.6 The government is also working to improve user safety on online services and better protect users from online harms. The government has now introduced the Online Safety Bill to Parliament. This legislation will introduce new laws for platforms to keep their users safe online.[footnote 14] The regulatory framework will be overseen by Ofcom as an independent regulator.

2.7 Under the Online Safety Bill, services which enable users to share content and interact with one another will need to put in place systems and processes that improve user safety on their services. This includes removing and limiting the spread of illegal content and protecting children from harmful and age-inappropriate content. The largest, highest-risk platforms will have to consider named categories of legal but harmful material accessed by adults, likely to include issues such as abuse, harassment, or exposure to content encouraging self-harm or eating disorders. They will need to make clear in their terms and conditions whether this material is or is not acceptable on their site, and enforce this. In cases of non-compliance, Ofcom will have robust enforcement powers, including the power to apply to the Courts for business disruption measures in the most serious cases. This could involve the Courts requiring app stores to remove access to non-compliant services where certain conditions are met.[footnote 15]

2.8 The Information Commissioner’s Age Appropriate Design Code or “Children’s Code” came into force in September 2020 and provides important protections for children online. Organisations were required to be compliant with the Code by September 2021. The Code, which is required under the Data Protection Act 2018, sets out 15 standards for protecting children’s privacy, and provides guidance to companies on how these can be met when offering online services to children. This includes apps which process personal data and are likely to be accessed by children in the UK. The Information Commissioner’s Office (ICO) is working closely with Ofcom to ensure regulatory coherence via the Digital Regulation Cooperation Forum (DRCF).

2.9 The government is developing various policy options to reduce at scale the offences and harms that are facilitated by unauthorised access to UK citizens’ online accounts and personal data. This work supports the National Cyber Strategy’s ambition to make the internet automatically safer, preventing attacks and building in basic protections to benefit all UK businesses, organisations and citizens. As part of this effort we will help reduce the burden of cyber security from citizens as much as possible and help organisations better understand and mitigate the cyber risks to their customers, including in relation to how the data they hold could be used to facilitate crimes like fraud, identity theft or extortion.

2.10 The review into the app ecosystem also links to work by the government to address potential imbalances in digital markets. The government published a consultation on the pro-competition regime for digital markets. This regime would include new rules to ensure consumers and businesses are treated fairly, and level the playing field so that new and innovative tech firms can flourish. The new rules will apply only to a small number of the most powerful tech firms to shape their behaviour and protect those who rely on them.[footnote 16]

2.11 The regime will be overseen by a Digital Markets Unit inside the Competition & Markets Authority (CMA). It will be empowered to tackle both the consequences and the underlying sources of market power. The Digital Markets Unit will be given robust powers, including tough new fines, to enforce the regime, protect consumers and reduce barriers to entry for entrepreneurs.[footnote 17]

2.12 The consultation sought views on the regime to ensure it drives dynamism and innovation in digital markets and gives consumers the best possible experience online. It ran from 20 July 2021 to 1 October 2021. The government will publish a consultation response in due course, and legislate for reforms when parliamentary time allows.

2.13 The government has taken efforts to ensure that the proposed interventions set out in this document feed into and align with the various activities noted above. This will be particularly important in light of future work on digital markets because we are mindful of not placing unnecessary burden on big tech companies, especially when the current app store ecosystem brings many benefits to users, businesses and the wider UK economy.

3. Benefits and risks associated with the app ecosystem

The benefits of app stores

3.1 Apps benefit users in many ways, depending on the context they are used in. For example, apps can be used in a work context, such as for sharing files with colleagues or organising calendars. Business apps are the second largest segment of the app development industry, accounting for an estimated 10.1% of revenue in 2021.[footnote 18] Apps can also be used for leisure activities, including gaming, streaming, fitness and browsing social media. By downloading apps, users have the convenience of engaging in a broad range of activities from a single device, as opposed to having to switch between multiple appliances. These activities increasingly include activities that play an important role in everyday life, such as managing finances via banking apps or communicating with people around the world via messaging apps.[footnote 19] In the UK, members of the public will be able to access a wide range of vital government services from a single app in the near future.[footnote 20]

3.2Apps benefit users by providing them with a faster way to access the services that are needed on a daily basis. Furthermore, by allowing the apps to collect their personal data, users can benefit from more tailored services, such as apps which use location data to recommend local businesses. Apps also enable the use of services in different environments, depending on the device.

3.3 Apps are typically downloaded via app stores.[footnote 21] App stores are beneficial to consumers as they can serve as centralised and trusted locations where users can download apps that have typically been subjected to a prior vetting process by the app store before they are made available to users. Consumers can benefit from a huge amount of choice, with each specific function, such as scanning documents, having multiple dedicated apps. There are many different types of app stores, such as smart TV, smart wearable, voice assistant, gaming console and mobile stores. Although there is no definitive data on how many apps exist on all of these different stores, research indicates that there were approximately 11.9 million mobile apps globally in 2020.[footnote 22] While many of these apps are hosted on official app stores, such as Apple’s App Store and the Google Play Store, research by RiskIQ suggests that the top three stores that saw the biggest influx of apps in 2020 are all Chinese based third party app stores.[footnote 23]

3.4 While most devices that run apps are supported by official app stores, depending on the type of device, app users may be able to alternatively use third party stores that they can download separately.[footnote 24] For example, in the mobile ecosystem, research indicates that there are currently over 300 third party app stores worldwide.[footnote 25]

3.5 Apps and app stores can also benefit companies. Businesses can use apps to engage with their customers more effectively and provide avenues to promote their services, for example, by using social media apps to promote their business to existing and prospective customers. Additionally, both Apple and Google allow companies to curate their own storefronts to distribute iOS and Android apps to employees, via the Apple Developer Enterprise Program and Managed Google Play, respectively. This benefits the companies by allowing for more efficient workflows, for example by boosting collaboration via in-house messaging apps.

3.6 Companies that publish apps also benefit from the app store ecosystem by providing extra means for delivering their services. These large companies can benefit from the extra revenue that apps bring, but also from the customer data they collect, allowing them to deliver more tailored services. Meanwhile, small and emerging companies can use apps to approach customers and help grow their businesses. Moreover, for some companies and developers, an app can essentially be their business, such as a gaming app.

3.7 The matter of creating apps, in turn, supports its own industry, with the UK now acting as a prominent base for development companies. The app development industry in the UK, measured by revenue, is estimated to be worth £18.6 billion in 2021.[footnote 26] App development also supports various partner industries such as companies who offer software for app stores to use in the vetting and review process. Alongside the stakeholders noted above, there are also developers who develop apps primarily as a hobby. They too benefit from the app store ecosystem, as app stores provide a space to test their creations with the public and receive useful feedback.

3.8 Apps support a wide range of sectors in the UK economy. The economy also benefits from the jobs created. There are over 12,000 businesses in this industry, employing more than 62,000 people.[footnote 27] Apple’s App Store supports over 330,000 jobs in the UK as of March 2021,[footnote 28] while there are over 10,000 publishers of apps in the UK who have published on the Google Play Store as of 2021.[footnote 29] The ecosystem also supports digital innovation. Established companies can use apps to diversify their services and apps have allowed new types of enterprises, which could not function without apps, to emerge. Furthermore, app stores provide a space for apps to compete with one another, in turn encouraging further innovation. The UK government therefore wants to ensure that the app store ecosystem continues to flourish for the benefit of consumer choice and digital innovation.

3.9 In the first quarter of 2021, UK users were spending an average of over 3 hours a day using apps.[footnote 30] This reliance on apps is likely a major reason why revenue from the UK app industry is expected to grow at a compound annual rate of 14.9% over the five years through 2022 to 2027, reaching a total of £37.2 billion.[footnote 31] In 2020-21, despite the COVID-19 pandemic, the app development industry grew by a rate of 16.1%.[footnote 32] This may be partly because the pandemic has increased the usage of and reliance on apps, with remote working and socialising becoming the new norm for many consumers, causing the global number of app installations across all devices to reach an all-time high of 37.8 billion in the second quarter of 2020.[footnote 33] This increased reliance shows the importance of UK consumers being able to trust the app stores they download their apps from, with an increasing dependency on particular app stores, namely Apple’s App Store and the Google Play Store. An Ipsos MORI survey commissioned in late 2020 (as part of the review) found that 96% of UK users download apps from these two sources.[footnote 34] It is therefore crucial that UK consumers can download apps from these stores, and other sources, without any risks to their security or privacy.

Cyber security and privacy risks to users

3.10 Apps that access an app store, and control the installation and updates of apps downloaded, come installed on many devices, and are presented to users as a safe and secure way to obtain apps. These stores can host millions of apps from a wide range of developers. As users cannot be expected to possess knowledge of app developers and security, they are dependent on app stores to provide only legitimate and non-harmful apps. If malware is accessible via an app store, then most users will have no way of telling it apart from the legitimate apps that are also present.[footnote 35] Users will also have no way of determining if the permissions an app requests are justified unless the rationale is provided upfront, so may accept permissions without considering the risks to their privacy. As some app stores have very large numbers of users, if an attacker can get their malicious app into a store, it represents an effective way to reach a large number of potential victims.

3.11 Cyber actors who seek to distribute through an app store do so to increase the number of users who download their malicious app, or to make the app appear legitimate and non-harmful. Most such campaigns will be untargeted and financially motivated, with attackers seeking to extract money directly from the user or through their access to the user’s device.[footnote 36] Data theft is another likely goal, with cyber criminals interested in stealing data that can lead to later financial gain, or further attacks, and government actors interested in spying on dissidents and other persons of interest.[footnote 37] Another motivation may be to attack an enterprise network through the victim’s device, a vector that may be quite practical as more organisations move to a “Bring Your Own Device” (BYOD) model.

3.12 Depending on the attacker’s goal, a variety of types of malware might be used, which leverage the access to the victim’s device in different ways. These methods are not necessarily exclusive, and a piece of malware may use multiple methods to benefit from the access.

  • Spyware steals data from the victim, potentially including passwords and banking data (such as two-factor authentication tokens) which the attacker can use to access the victim’s accounts, or private SMS, email, and other messages that may be of intelligence interest.
  • Ransomware campaigns work by crippling the victim’s device or encrypting their data, and demanding payment for its return.[footnote 38] They may also steal sensitive personal data and threaten to publish it unless a ransom is paid.
  • SMS Trojans will send messages to premium numbers, directly benefiting at the user’s expense. The Joker malware (also known as “Bread”), which has been downloaded thousands of times (via apps) through the Google Play Store and third party app stores, operates in this way.[footnote 39]
  • Adware benefits by delivering adverts to the user, which is primarily a nuisance, but may also forcibly download more apps to the device, putting the user at greater risk. Miners use the device’s processing power to mine cryptocurrency, degrading the performance of the victim’s device.
  • Scam apps may not have any technical capability against a phone, but are used to facilitate scamming the user. The “New Century” scam app possesses no capability against the device, but has been published on both the Google Play Store and Apple App Store repeatedly with the intention of scamming jobseekers.[footnote 40]

3.13. Users of a compromised device can be impacted in many ways; they may have their private accounts (such as bank accounts) compromised and thus incur financial loss, receive bills for fraudulent phone services, and will likely see a degradation of their device’s performance. Meanwhile, the exposure of their personal data, such as their location could, for example, compromise their physical safety by facilitating stalking and harassment. There are significant risks for companies too, as malware on employee devices may be used as an entry point to attack a corporate network, in turn potentially leading to data breaches or ransomware attacks, significantly impacting the company’s ability to operate. This can also result in a significant economic risk to companies. Additionally, companies may also suffer reputational damage, particularly if customer data is stolen, or if malware is found on a compromised company app.

3.14 App stores may have some systemic vulnerabilities which have enabled attackers to upload malicious apps, bypass security controls, or gain the trust of users.

  • Application republishing: Occurs when an application is copied and redistributed through third party application stores, with malicious code added. If an app is banned in their native country (or has been removed from the official app store), a user may try and download it via a third party store.
  • Application updating: Occurs when a legitimate application has already been reviewed and published, but the next update contains malware. This may be due to the developer choosing to include malicious code, or an attacker compromises the developer’s system and inserts malicious code into the release. With some app stores, this is less likely to be detected as the process of checking a pre-existing app may not be as rigorous as when it is first published.
  • Malicious Software Development Kits (SDKs): Many developers use third party SDKs to include additional content within their own applications (such as displaying advertisements or additional functionality). Legitimate third party SDKs are often included within apps on the app store. However, these APIs can be configured or compromised to be malicious and perform malicious within an otherwise benign application.
  • Application acquisition: This occurs when an app with a large user base is purchased by an attacker, who then publishes an update with malware. Consumers may have built a level of trust with the previous developer/app, the app is then be purchased by an attacker, possibly without the users’ knowledge, and updated with malicious content.
  • Infected development tools: This occurs when development tools (used for building and compiling the application) are infected, often when the tools are downloaded from an untrusted third party source. When a developer builds the app, they unknowingly insert malicious code.

XcodeGhost case study - 2015

XcodeGhost was a breach within Apple’s App Store due to a tainted Software Development Kit (SDK) in 2015. Many Chinese developers obtained a third party distributed version of Xcode, which is Apple’s development tool for iOS apps. When developers built their applications, they unknowingly inserted malicious code into their apps, which were then uploaded to the App Store. A wide range of applications were compromised including instant messaging apps, banking apps, mobile carriers’ apps, maps, stock trading apps, social networking service apps, and games.[footnote 41]

The malware was downloaded by 128 million users, a number which only became public due to evidence presented in the Epic Games vs Apple lawsuit, which was widely reported in the press. Apple addressed this by removing all applications that had been infected by XcodeGhost and asking all developers to recompile their apps with a clean version of Xcode before resubmitting their applications. Furthermore, Apple advised that all developers have Gatekeeper (technology designed to ensure that only trusted software can run) activated on their Mac when developing applications to ensure code signing and verifying downloaded applications were enabled.[footnote 42]

3.15 Major app stores, such as the Google Play Store and Apple’s App Store, have vetting processes to check that apps are legitimate before they are made available to users. The full details of these processes have not been made public, but both Google and Apple have published various policies.[footnote 43]

3.16 It is unclear how many third party app stores have a vetting process for reviewing apps. The top three mobile app stores in terms of apps published in 2020 were all third party, with 9Game, the store that saw the greatest influx of apps, identified as the app store hosting the most malicious apps in 2019.[footnote 44] Where vetting is performed, there is frequently little information available about what these processes entail (or if these processes even exist for some third party app stores).[footnote 45] There are numerous instances of malware being found on third party app stores, and major vendors claim that users who install apps outside of official app stores are more likely to install malicious apps.[footnote 46]

3.17 There are also apps made available outside the app store ecosystem altogether, typically downloaded directly from websites.[footnote 47] These apps are unlikely to have been subjected to any form of vetting and may not be accompanied by the security or privacy information an app store can provide, such as information on privacy permissions. As such, they pose a particularly high risk to users. Spyware that targets users of banking apps (technically known as ‘banking trojans’), such as FluBot, have been used as a mechanism to compromise users of Android devices. App stores can mitigate this threat by serving as trusted locations where users can download apps.[footnote 48] However, various developments in the regulatory landscape have the potential to change the app store ecosystem.

4. The regulatory landscape and relevant antitrust cases

4.1 There are various investigations and regulatory initiatives being progressed, across the globe, that have the potential to impact the regulatory system around mobile apps and app stores. Their focus includes issues that could potentially reshape the app ecosystem, such as the availability of third party app stores, as well as more focused issues, such as rulings related to specific types of app stores. There are also several antitrust cases that could contribute to causing regulatory changes to the mobile ecosystem. If third party app stores were made available on iOS devices and more accessible on Android devices, this could potentially have implications for the security and privacy of users. The UK government is therefore keen to ensure that changes to the app store ecosystem do not create significant new security risks to users. The government has engaged with international counterparts, to promote the app store review and to keep abreast of developments linked to the below investigations and initiatives (see 6.19 for more information).

4.2 A prominent regulatory effort that proposes making third party app stores more accessible on mobile devices originates in the United States (US). The Open App Markets Act is most significant among these, being a bipartisan bill that would require companies that control mobile ecosystems to make third party app stores available to users. This bill and others on antitrust areas are illustrative of a wider appetite in US lawmaking for regulating large technology firms. Alongside this, there has also been an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries on 9 June 2021 which places significant emphasis on software applications.[footnote 49]

4.3 Meanwhile in the UK, the CMA launched an investigation into Apple in March 2021 over suspected anti-competitive behaviour under UK competition law, specifically in relation to Apple’s App Store and the terms and conditions governing app developers’ access to the App Store. The CMA is also conducting a market study into both Apple and Google’s mobile ecosystems.[footnote 50] The interim report was published on 14 December 2021 and sought external feedback on various areas, including “in respect of overcoming existing demand-side and supply-side barriers faced by alternative app stores” and sideloading.[footnote 51] The final report is expected in Summer 2022. The report’s content will inform the design of the new pro-competition regime for digital markets.[footnote 52] The Digital Markets Unit (DMU), which will be based in the CMA, will oversee this regime, aiming to give consumers more choice and control over their data, promote online competition and crack down on unfair practices. The final mobile ecosystems market study report will set out evidence on whether there is a justification for allowing alternative methods of app distribution, including whether third party app stores should be allowed on iOS devices, and is likely to make recommendations on this for the pro-competition regime and the DMU’s next steps in this area.

4.4 The availability of third party app stores is also included in the provisions of the European Commission’s Digital Markets Act, which concerns companies designated “gatekeepers”; a definition which would include major app store operators.[footnote 53] The draft legislation would prevent gatekeepers from using their platform to favour their own products over those offered by competitors. This could potentially require companies such as Apple to allow third party app stores on their platforms.

4.5 There are various antitrust cases that could result in rulings that may require changes to the mobile app store ecosystem. Epic Games have filed lawsuits against Apple and Google in multiple jurisdictions, such as the US, Australia, UK and EU. The cases have focused on various aspects of the mobile app store ecosystem, with particular focus on the issue of third party payment systems and the way that Apple and Google run their app stores. In these cases, the UK government has been monitoring the evidence provided by all parties.

4.6 Several regulatory bodies have launched their own investigations or market studies into the major app store operators. The Australian Competitor and Consumer Commission (ACCC) issued a report in March 2021 that found that Google and Apple had significant market power in the distribution of apps in Australia, declaring measures were needed to address this. In terms of current activity, the Federal Cartel Office in Germany has separate ongoing investigations into Google and Apple. Most significant, though, are the European Commission’s current investigations into Apple. These seek to assess whether Apple’s rules for app developers on the distribution of apps via the App Store violates EU competition rules. They also address Apple’s in-app purchase system and the ability of developers to direct users to alternative purchasing systems outside their apps. As part of this investigation, the Commission sent Apple a statement of objections in April 2021 regarding its preliminary view on the App Store’s rules for music streaming services.

4.7 Other countries are examining app stores as part of a wider area, such as digital markets or in relation to competition law. For example, the South Korean parliament recently approved a bill banning major app store operators from requiring developers to only use their payment system for making in-app payments. Meanwhile in Japan, the Fair Trade Commission has ended an investigation into Apple after the company agreed that developers of certain types of digital content apps could link to their own websites, allowing users to manage their subscriptions and previously purchased content.[footnote 54] Although these developments may not directly relate to the issue of third party app stores and their availability, they nevertheless illustrate a wider international interest in investigating the current mobile app ecosystem and the potential for change.

4.8 There are multiple developments that could significantly change the app store ecosystem in such a way that third party app stores become normalised. This may increase the risk to app store users if third party app stores are made accessible to consumers without the necessary security and privacy controls in place, such as the presence of a robust vetting process or transparency around permission requests. In light of the potential regulatory developments set out in this Chapter, we have ensured that the review’s research has particularly focused on the mobile app store ecosystem. The next Chapter outlines the findings of this research.

5. Review findings

5.1 The evidence gathered during the course of the review was used to inform the development of possible interventions. The key themes from the review’s research are set out in this chapter.

5.2 We commissioned various studies to create a robust evidence base. These include:

  • A literature review completed in February 2021 that was conducted by Professor Steven Furnell of the University of Nottingham, using information published since 2016, to evaluate consumer research and map recommendations on improving the security and privacy of apps.
  • A threat report to assess the threat profile faced by different app stores and the customers of said app stores.
  • An Apadmi study examining what and how security and privacy requirements, feedback, guidance and training is signposted by operators.[footnote 55] This study was completed in August 2021, therefore some of the operators’ processes and the information they provide on their app stores may have changed since the research was completed.

5.3 In summary, the review has found that all app stores share a common threat profile, with there being many examples of malicious apps found on both official and third party mobile app stores. Compounding the threat is the fact that users are currently not prioritising security and privacy information when choosing whether to download an app or not. This highlights the need for baseline requirements across app stores to ensure that apps are built with appropriate levels of security and privacy before being made publicly available to download. The government’s evidence also found that many app stores are currently placing the onus on developers to find information on security and privacy requirements when building apps by either failing to adequately signpost developers to all their policies while some don’t provide any of this information. The provision of training material for developers is likewise inconsistent across app stores, reaffirming the need for baseline requirements to ensure best practice is clearly signposted.

Threats to app stores

5.4 NCSC compiled a threat report which examined the threat profile faced by all app stores. It also outlined the intent and techniques of malicious actors who target users in apps via app stores and the vulnerabilities they exploit, using case studies to illustrate the threat.[footnote 56]

5.5 The report illustrated how app stores across all devices share the same threat profile and notes that some third party mobile app stores lack robust vetting processes.[footnote 57] It also states that mobile app stores are the most commonly targeted; the difference between them and other types of stores is one of scale rather than type.[footnote 58] The report provides a variety of case studies as illustrative examples to highlight the impact of malware on official and third party app stores across different devices.[footnote 59]

5.6 A literature review accompanying this document notes that the problem of vulnerable apps is on the increase.[footnote 60] Additionally, the NCSC report highlighted that there are many examples of malicious apps being found on both official and third party mobile app stores. For example, the Joker malware, which conducts fraudulent transactions and charges them to the victim, has appeared repeatedly on the Google Play Store since 2017.[footnote 61] Meanwhile, the PhantomLance trojan malware, believed to have been present since around the end of 2015, was found within various Android app stores.[footnote 62] Furthermore, it is not only mobile app store users who are vulnerable. In 2020, for example, a security researcher showed how it was possible to upload spyware to the Fitbit Gallery, which is the official app store for Fitbit smart wearables.[footnote 63]

5.7 Users of apps and all types of app stores evidently face threats from malicious or vulnerable apps. Despite the risks, however, users are not currently prioritising security when using app stores and downloading apps. This is understandable when there is an expectation that developers should be creating apps that have appropriate security and privacy. Additionally, app store operators should have robust processes to help protect users from malicious apps created by hostile actors.

Contradictions in what information consumers prioritise

5.8 Professor Furnell’s literature review examined previous consumer surveys and user research and identified contradictions between what users claim they prioritise when downloading apps and what they actually prioritise.[footnote 64] A survey conducted for Thales in 2016 found that 80% of end users value reliability and security in their mobile apps over other attributes.[footnote 65] However, a National Cyber Security Alliance Survey of 1,000 users in 2020 found that 42% of participants do not check what information an app gathers before downloading it, with the same percentage also willing to download apps from untrusted sources.[footnote 66] These findings were further supported by a survey, undertaken by Ipsos MORI, which showed that users give more attention to reviews and ratings than privacy permissions when considering whether to download an app.[footnote 67] As noted in Chapter 1, it is therefore important that app store operators and developers ensure that apps are built with appropriate levels of security and privacy before they are made publicly available. Although the survey indicated that security and privacy information are not the top areas of focus for users, information on this area can provide users with a level of assurance that apps are being built according to good practice.

Research and publications point to the need for baseline requirements

5.9 The literature review recommended the need for “a more credible and consistent level of information” for app store users as well as developers.[footnote 68] For app store users, the provision of security and privacy information that can enable them to make informed decisions about their downloads is inconsistent across stores. The inconsistencies are evident not only in whether such information is present or not, but also in terms of how easy it is for a user to find and interpret this information. While some stores provide fairly extensive details on app permissions, for example, others provide “nothing that most users would find meaningful”.[footnote 69] For developers, meanwhile, the report noted a lack of consistency in the provision of developer guidance, recommending that app stores publish “clear and accessible guidance” around security and privacy expectations.[footnote 70]

5.10 Given the inconsistencies across the landscape, the literature review recommended a series of baseline requirements in relation to operating app stores, “guiding developers and supporting users”.[footnote 71] The review suggested that these could lead to “initiatives across the app store ecosystem more widely”, including a “Code of Practice in order to support responsible app development and resulting confidence among users.”[footnote 72]

Lack of information displayed to developers by app store operators

5.11 The government also sought to incorporate the experience of developers by commissioning Apadmi, a software development company, to build an app with the necessary features to capture the security and privacy requirements of both official and third party app stores.[footnote 73] This study was completed in August 2021, therefore some of the operators’ processes and the information they provide on their app stores may have changed since the research was completed. An example of such a feature would be the requirement that apps make clear what permissions they request. In their report, Apadmi noted what feedback the app stores provide during the process of uploading an app and how well the stores signpost to any guidance for developers. The report also sought to capture what training materials relevant to security and privacy requirements app stores provide. Eleven app stores were tested, three of which are operated by Google, Apple and Microsoft, and three of which are managed by original equipment manufacturers; Samsung, Amazon and Huawei. The other five were third party stores.[footnote 74]

5.12 The report found that for the app stores run by Google, Apple and Microsoft, information provided for 67-75% of the twelve key features is deemed passive, meaning that while it is present, it requires the developer to actively seek it out.[footnote 75] Most feedback, meanwhile, is left until an app is ready for final submission. One exception to this is the requirement for an app to have a digital signature, which both Google and Apple actively flag during the app development process.[footnote 76] A digital signature is a way of signing code to ensure it behaves the way the developer intended and has not been tampered with since it was signed. While it is an important security mechanism for apps, it is only one of many necessary elements for safeguarding user security and privacy. For the majority of the other key features, an app developer is left to build an app in its entirety before receiving any feedback on whether or not it conforms to the standards set out by the app store operators.[footnote 77]

5.13 App stores operated by original equipment manufacturers, meanwhile, were found to lack feedback for 83% of the individual features. While all three of the tested stores provided guidance on privacy policies and two provided feedback on digital signatures, none of them provided specific guidance on privacy-related features. Otherwise, all three stores, which run on Android, relied on the developer finding documentation already provided by Google, with none of them providing any contextual links to relevant material.

5.14 For the five tested third party app stores, feedback was lacking for 92% of features for two of the stores, and 100% of features for the other three. Again, the only area of feedback for any of the stores was around apps being digitally signed. As this was the only point of feedback, if any feedback at all was even provided, it highlights the wider issue of a lack of robust vetting that the NCSC threat report pointed to.

5.15 Overall, the Apadmi report found that app store operators are currently placing the onus on developers to find information on security and privacy requirements and also know the correct search terms to use. The Amazon Appstore, for example, does not signpost to its privacy policy section from its developer environment, and developers must search for it themselves.[footnote 78] Meanwhile, the Microsoft Store includes information about app permissions but this information is not linked to directly from the app upload process.[footnote 79] App stores more broadly are either failing to signpost developers to relevant documentation, or failing to provide this documentation in the first place, as characterises most third party stores.

Mixed picture on training material provided by mobile app store operators

5.16 As well as developer documentation, there is also a lack of consistency in the training material mobile app stores provide to developers.[footnote 80] Only Google, Apple and Microsoft are supplying developers with support around adhering to best practice. For example, Apple has a “learn to code” website offering ebooks and certification.[footnote 81] Google has announced a Google Career Certificates programme, although this does not include training related to security or privacy at the time of writing.[footnote 82] These stores also provide video tutorials, including videos taken from annual developer conferences in the case of Apple and Google.

5.17 In contrast, third party app stores are not providing any similar training to developers, with the expectation that developers are already sufficiently aware of best practice in terms of building features for apps. The one exception to providing training materials of the stores included in the study was the Huawei AppGallery, though none of it related to security or privacy issues.[footnote 83]

5.18 Having established the lacking or inconsistent information that app store operators are currently providing developers within the app development process, the government sought to gather information on the review process and the additional mechanisms used by app store operators.

Engagement with app store operators

5.19 The government contacted various app store operators to seek feedback on a number of specific areas, including their app vetting process, the steps they take to review apps once they receive updates and the scale of malicious apps found and rejected by app stores. A range of responses was received, with some operators also choosing to not disclose any information. The information provided was treated as confidential and helpfully informed the policy development of the proposed interventions. We will actively seek to engage with app store operators during the future Call for Views to seek their feedback on this document.

6. Proposed interventions

6.1 The evidence from the NCSC report indicates that there are examples of malicious and insecure apps available on a range of app stores, thereby posing a risk to the security and privacy of users. The review was based on information available in the public domain and therefore, it is difficult to ascertain the true scale of the risk to users. However, the research presented in Chapter 5 does highlight that across the ecosystem, users continue to be at risk from malicious and insecure apps and that operators and developers practices can be improved. There is also an inconsistent approach in terms of the feedback offered during and once an app is reviewed. Meanwhile, there are clear indications that some third party app stores lack a robust vetting process and are providing very little information to developers which ultimately risks allowing apps onto these app stores with very limited security and privacy capabilities. While there are currently relatively few UK users of third party app stores, this could easily change as a result of developments in the regulatory landscape.

Objectives for the app ecosystem

6.2 Due to the potential changes in the regulatory landscape (outlined in Chapter 4), it is likely that the details of any intervention we propose in this document would need to change in the near future. There are four fundamental objectives that the government wants to achieve for apps, regardless of any potential changes to the ecosystem which may result in app stores not being the primary means of accessing apps. This is in order to future-proof any intervention.

  • Security (and privacy) is prioritised, thereby reducing the threat from malicious apps.
  • Security and privacy information is clearly communicated and accessible to users of apps.
  • Any future regulation that changes the app ecosystem should understand the impact on cyber security.
  • Vulnerabilities, when identified in apps, are easily reported and quickly resolved to minimise the risk to users.

Key themes that informed the development of policy interventions

6.3 The above objectives were considered alongside a set of categories when identifying and developing interventions. These areas have formed the basis of how we have tested each intervention to determine if they will address the issues raised from this review (see Chapter 5) and the objectives we want all app stores to follow (see above). This section briefly outlines each theme.

Effectiveness and measurability

6.4 Effectiveness was viewed in terms of whether each intervention would ultimately reduce the threat to users from malicious and insecure apps. Equally, it also consisted of evaluating whether the proposal could be measured to assess its impact over a period of time. This was essential because the app store ecosystem could fundamentally change due to broader digital regulation and/or technological changes. Moreover, in the future, the government may need to explore further mechanisms, such as deciding if regulation was needed. We are mindful that any considerations around regulation would need to be tested with relevant stakeholders. It will also be important to consider the existing regulatory remits, such as current data protection requirements and competition and consumer law, before preparing additional obligations.

Burden

6.5 This category focused on the extent of the burden that each intervention may have on the affected stakeholders, including government, app related stakeholders or wider industry. This included, at a high level, broad considerations (informed by stakeholder engagement) around potential financial implications in light of the timelines for delivering each of the proposed interventions outlined in this chapter.

Barriers to Implementation

6.6 This category considered the timescale of implementation in terms of whether each intervention could address the current and future needs for the area in light of the government’s evidence findings. It also assessed the intervention in terms of its likelihood of adoption and support from key stakeholders and practicability, predominantly in terms of its ease of implementation.

Consistency with international approaches

6.7 The government is aware of the benefits of international cooperation in cyber security areas. This category has therefore sought to ensure that any interventions consider the benefits of international collaboration as well as how this might be achieved. Additionally, it considered whether any of the interventions would undermine or conflict with other approaches taken internationally (such as standards or actions by other governments etc.).

Equity and Impact (on consumers / competition impact on the market)

6.8 This category evaluated the impact of each intervention in terms of whether it disproportionately affected specific user groups, such as consumers. Ultimately, this review sought to support users, therefore this needs to be particularly considered. The category also examined each intervention in terms of whether it lessened competition, increased price and created or further created monopoly positions within the market. This second area should be viewed within the context of the government’s support for digital innovation.

Choosing policy interventions

6.9 We used these themes to test a number of potential policy interventions developed over the course of the review through engagement with various stakeholders. Annex B sets out the interventions that are not being taken forward, including the rationale for why. These proposals could be used in the future if the main intervention (Code of Practice - see below) is progressed and efforts are needed to drive its adoption.

Rationale for a Code of Practice

6.10 As the literature review noted, a voluntary Code of Practice for App Store Operators and Developers represents a cross-cutting mechanism that would incorporate multiple stakeholders and provide clarity on their responsibilities.[footnote 84] While it is important to recognise the leadership of Apple and Google in defining current best practice, a Code would also provide an opportunity for these and other stores to improve their processes, particularly some third party app stores. Furthermore, we do not want to create a significant burden on operators, and a principles-based approach would allow a degree of flexibility for operators, in terms of the steps they take to ensure they adhere to each area.

6.11 A Code of Practice would also proactively prepare the UK market for potential changes to the mobile ecosystem. It would also provide a route for mandating requirements should the ecosystem change.[footnote 85] Furthermore, a Code of Practice would align with the government’s support for digital innovation as it would be setting baseline principles for any operator to ensure users can securely benefit from more choice on their devices without compromising their device’s security or their own privacy.

6.12 As the threat report showed, app stores, regardless of their type, fundamentally share a threat profile. A Code of Practice could therefore be applicable to all types of app stores which would help protect more users across different devices.

6.13 While the proposed Code of Practice would be voluntary, the UK government would seek to put incentives in place to encourage adherence to the principles in the Code. The Code also reminds operators and developers of their obligations under Article 25 of the UK GDPR. Under the UK GDPR, developers and operators as data controllers are required to put in place appropriate technical and organisational measures to implement the data protection principles effectively and integrate necessary safeguards into their processing activities. [This is known as data protection by design and by default.]

6.14 The proposed Code would be applicable to all types of app stores operating in the UK. The government is conscious that any potential future regulatory efforts surrounding the Code would need to consider the fact that many app stores are not based in the UK. Our intention is therefore to prioritise engagements with other international governments and institutions over the coming months to seek alignment on the need for interventions to protect users from malicious and insecure apps and help developers meet security and privacy best practices (see 6.19).

6.15 App store operators would need to consider the reputational damage they would face from not following the Code should it emerge, following a security incident, that they had not been adhering to its principles. The Code would allow an operator to safeguard its reputation in the long term, in turn allowing developers to be confident to distribute their apps via a store with a positive reputation. Adherence to the Code may result in an app being reviewed more extensively and this will likely increase the time it takes for an app to get to market (on an app store). However, the government believes these changes are necessary to help protect users of apps. The Code should be seen as a first step in the government’s efforts to help protect users. Other interventions, including those set out in Annex B, could be taken forward in the future if required.

Proposed Code of Practice for App Store Operators and App Developers

This voluntary Code of Practice sets out practical steps for app store operators and developers to protect users. The seven principles are not written in a priority order because they are all important in helping to protect users’ security and privacy. Within the content of each principle, the government has, where relevant, referred to relevant privacy requirements that operators must comply with as part of data protection laws.

The responsibility to implement the principles falls on both the developers and app store operators. Also, in light of the role that operators hold in setting policies and processes for their app stores, they should take reasonable steps to check that developers are complying to the principles set out in this Code.

An indication is given for each principle as to which stakeholder is primarily responsible for implementation. Stakeholders are defined as:

Audiences

App Store Operators: The persons or organisations responsible for operating the app store. The App Store Operator will have capability to add and remove apps, and decides on the requirements that apps will need to meet to be included in the app store.

Developers: Persons or organisations which create or maintain apps on the app store. Developers are responsible for ensuring their app meets the requirements of the app store, as well as any legal requirements.

Platform Developers: Individual(s) responsible for producing the operating system, default functionality and the interface that enables third parties to implement additional functionality, such as through apps.

1.Ensure only legitimate apps that meet security and privacy best practice are allowed on the app store

  • App store operators shall have a vetting process for approving app submissions and a separate process for reviewing apps that are already available on a store, for example to help detect malicious code in apps when they receive updates.
  • App store operators shall remove an app that has been identified as being malicious as soon as possible.
  • App stores shall also have a mechanism to detect and report apps that are fraudulent, such as those spoofing known legitimate brands.
  • The app store vetting process shall adhere to the general security requirements set out in data protection law.[footnote 86]

Primarily applies to: App Store Operators

2.Implement vulnerability disclosure processes

  • Every app shall have a vulnerability disclosure process and policy (including contact details) which is created by the developer and checked by the operators to ensure that communication can easily happen if the app needs to be updated or is marked as malicious. This process shall also ensure that vulnerabilities can be reported without making them publicly known to malicious actors.[footnote 87] These contact details shall be clearly visible on the app store so that users and security researchers can directly contact them. The above actions align with requirements set out under data protection law (see article 13 of UK GDPR).
  • App stores shall provide guidance for developers on how to establish a robust vulnerability disclosure process.
  • App stores shall have an app reporting system (including visible contact details) so that users and security researchers can report malicious apps, and developers can report fraudulent copies of their own app to the app store.
  • The app stores shall have a vulnerability disclosure policy so that a user, security researcher or other stakeholder can report any vulnerabilities found in the app store platform to the operator.

Primarily applies to: App Store Operators and Developers

3.Keep apps updated to protect users

  • Developers shall provide updates to patch security vulnerabilities within their apps as soon as they are identified.
  • When a developer submits a security update for an app, the app store shall encourage users to update the app to the latest version.
  • The app store should not reject standalone security updates, without providing strong justification to the developer as to why this has happened.

Primarily applies to: App Store Operators, Developers, Platform Developers

4.Provide important security and privacy information to users in an accessible way

  • When an app store operator removes an app, they shall notify users of its removal.
  • App stores shall also inform users about an app’s usage and storage of data, when the app was last updated, the regularity of updates and relevant security information.
  • App stores shall display the permissions required by the app, such as access to contacts, location, and the device’s camera, along with justifications for why each of these permissions are needed.[footnote 88] Developers shall provide this information, and ensure it’s up to date whenever a new version is published.
  • App stores should display user reviews for apps, the total number of downloads, and the name and location of the app developer.
  • Developers shall ensure that an app functions, except for functionality that explicitly requires those permissions, if users decide not to allow one or more of the permissions requested.[footnote 89]

Primarily applies to: App Store Operators and Developers

5.Enterprise app stores shall be secured where provided

  • App stores can offer organisations mechanisms to set up private app stores, curated for their employees.
  • These app stores shall be protected against malicious actors using them as a backdoor into their organisation or as a mechanism to distribute malicious apps to consumers.
  • If the organisation intends to create an app store that involves processing employee data, it shall be required to implement security measures which are required under data protection law to ensure that employee data is protected.[footnote 90]

Primarily applies to: App Store Operators

6.Promote security and privacy best practice to developers

  • App store operators shall clearly set out security and privacy requirements for apps on the app store, published in a location that does not require purchasing access by developers.
  • App store operators shall also provide information on what is considered best security and privacy practice where that goes beyond the standard requirements.
  • App store operators should support app developers in implementing effective supply chain management, such as by monitoring common third party libraries and services, which may be used as a threat vector across multiple apps.

Primarily applies to: App Store Operators

7.Provide upfront and clear feedback to developers by app stores

  • App store operators should provide a mechanism for developers to receive feedback throughout the app development process, prior to the developer submitting the app for approval. The app store operator can decide how this feedback is provided but it should be detailed and transparent, for example, through a development environment made available by the app store operator.
  • When an app submission is rejected, the app store operator should provide detailed feedback, justifying the rejection of the app, and making clear what elements would need to change in order for the app to be acceptable.
  • When an app store operator removes an app for security or privacy reasons, they shall notify the developer of its removal, and provide feedback explaining the removal.

Primarily applies to: App Store Operators

Accompanying interventions associated with the Code

6.16 If a Code of Practice is taken forward, the government will work closely with app store operators and consumer groups to ensure that any additional information provided for users as a result of the principles is clear and accessible. We will also coordinate with wider government cyber security communication efforts, such as Cyber Aware to ensure the content aligns with broader messages around cyber security behaviour.

6.17 The ICO will explore the development of further tools and guidance to explain the concepts of data protection by design and default. A recent example of such material is their recent guidance for designers explaining practical implementation of the Children’s Code.[footnote 91]

6.18 If feedback suggests it is useful, we will begin to explore the challenges and opportunities of placing the principles of the Code on a regulatory footing. The intention would be to hold a public consultation with stakeholders to see how the Code principles could be mandated in light of the potential changes in the regulatory environment. While regulation would likely focus initially on mobile app stores due to the current developments in that space, the consultation would factor in each type of ecosystem.

6.19 We recognise that digital markets can change rapidly and that other mechanisms may need to be considered in the future to ensure that developers create and distribute apps with appropriate security and privacy features.

Building international consensus

6.20 The government recognises the importance of international cooperation in app security so that app store operators are not burdened with having to tailor their platforms and practices for lots of different countries. The government has therefore engaged with international counterparts to promote the review and to keep abreast of developments linked to the above regulatory initiatives and investigations. Further engagement with international partners will occur in the coming months as part of efforts to create international alignment.

6.21 There have been very few standards created on app security and privacy as well as app store controls. The OWASP Mobile App Security Requirements[footnote 92] and Verification Standard (MASVS)[footnote 93] defines security requirements for mobile applications, providing a baseline for standard app security, and a higher level for apps which handle sensitive data. The ioXt Alliance[footnote 94] produced a Mobile Application Profile[footnote 95] which is intended for cloud connected applications, but much of which may be broadly applicable to a wider set of apps. Unlike the above standards, the Code is seeking to address the full lifecycle of app development and rather than specifying the intrinsic details of the security and privacy requirements, instead the government wants to set out baseline principles that should be followed by an app store. As part of considering further interventions in this area, the government might also explore the option of developing technical standards to help provide clarity to app store operators and incentivise the adoption of the Code of Practice’s principles.

7. Next steps

7.1 DCMS will be holding an eight week Call for Views on the document until Wednesday 29 June. Stakeholders are encouraged to provide their views on the proposed interventions, including the content of the proposed Code and whether additional proposals should be taken forward. The government would also welcome views, particularly from developers in terms of the review and feedback processes they have encountered when creating apps on different app stores. Moreover, we would welcome any data that illustrates the financial and wider impact of implementing the Code of Practice. Participants will have the opportunity to identify themselves when they submit their responses or to be anonymous.

7.2 If you are unable to fill out the online survey or you would like to share data then you are welcome to submit comments to cybersecurity@dcms.gov.uk (by Wednesday 29 June). You can also submit written comments to:

App Security & Privacy Call for Views
Cyber Security & Digital Identity Directorate (4/48)
Department for Digital, Culture, Media and Sport
100 Parliament Street
Westminster
London
SW1A 2BQ

7.3 Following the Call for Views, we will review the feedback provided. The intention will be to publish a response which provides an overview of the key themes from the Call for Views and the government’s future direction of travel. If the Code of Practice is taken forward then we will aim to publish it later this year.

Annex A: Glossary of terms

Adware A type of malware that benefits from its access by displaying adverts, primarily inconveniencing the user but potentially placing them at greater risk if the ads lead to downloads of other malicious software.
App An app, or an application, is a non-integral software package that can run on a user’s device to add custom functionality or obtain specific content.
App store A digital marketplace that allows users to download apps created by developers, not just the store’s operator. App stores do not only host apps, as they also serve as storefronts that allow users to browse for apps, such as via search functionality.
Enterprise app stores Stores that organisations can create for their employees to use, populated with apps that the enterprise has approved for corporate use.
Internet of things (IoT) The totality of devices, vehicles, buildings and other items embedded with electronics, software and sensors that communicate and exchange data over the Internet.
Miners A category of malware that infects a device and hijacks its processing power to generate cryptocurrency for the perpetrator. Miners can degrade the performance of a device or even damage it through overheating components.
Official app store An app store provided by either the official software supplier for a device (such as Apple for iOS and Google for Android) or the OEM, such as the Samsung Galaxy Store on Samsung Galaxy mobile devices. On mobile devices, official app stores typically come pre-installed.
Original equipment manufacturer (OEM) The manufacturer of a device, though not necessarily the provider of its operating system. While the operating system will likely come with an app store such as Google Play pre-installed, an OEM may also include their own app store for consumers to use.
Ransomware A type of malware designed to encrypt data and deny access to it until the victim pays a ransom.
Software development kits (SDKs) Tools that assist in the creation of apps, often providing reusable functions that are built into apps.
Spyware Malware that can infect a user’s device and steal data.
Third party app store A type of app store that is not provided by the platform developer or OEM, often requiring the user to download it separately.
Third party library Code written by other developers that a developer can use when building their own app to replicate common app functions.
Web apps Apps that are run on a remote web server rather than being downloaded locally onto a user’s device, like most apps typically are.

Annex B: Options analysis summary

A number of options were considered in support of the review’s objectives. These proposals were wide-ranging and represented ideas from a range of stakeholders, comprising a mix of government officials, industry experts, consumer associations and academics. The options were considered against the key themes that informed the development of policy interventions (see Chapter 6). These were effectiveness, cost (to either government or industry), barriers to implementation, consistency with international approaches and equity and impact (both on consumers and the market).

Measure Conclusions
Guidance for app store operators One of the options considered as part of the review was guidance aimed at app store operators that would signpost various best practices on security and privacy controls for apps. Although guidance can always provide some level of support, it was not taken forward because industry has already had years to set requirements for the ecosystem, malicious apps continue to get onto app stores and we have no guarantee that many operators will follow the guidance. A further challenge associated with any guidance is that it wouldn’t be future-proofed. Various regulatory initiatives indicate that parts of the app store ecosystem could change in the next few years therefore multiple versions of the guidance would likely need to be produced.
Guidance for developers We also explored whether government guidance for developers to help them build apps with appropriate levels of security and privacy was required. Ultimately, the development process of an app is only part of the broader app ecosystem. Guidance would not prevent malicious actors from developing deliberately harmful apps. Moreover, app stores need to have robust security and privacy controls for apps to ensure that apps (and apps that are updated) are effectively reviewed so that users are protected. There is also a significant challenge on where one sets the parameters for the areas covered by the guidance. We do not want to stifle the market by making recommendations on what processes or software developments tools developers should use. The ICO’s exploration on developing guidance in relation to specific aspects of data protection will be far more beneficial. We also did not take this forward because we felt that the guidance could be seen as representing a low bar when developers should actually aspire to best practice.
Consumer guidance We also considered guidance targeted at users. This could enable users to know what to look out for when downloading apps and how to consider the credibility of an app store. However, a challenge associated with consumer guidance is that most users do not currently use the security and privacy information available to them, as the Ipsos MORI consumer survey (commissioned as part of this review) found. Additionally, many operators at present give a partial picture on the key information about an app which therefore restricts the ability of users to make informed decisions when choosing whether to download an app or not. Given the above, it should instead be the app store operator’s responsibility to ensure the necessary security and privacy controls are in place. Moreover, operators should request information from developers on the security and privacy of their apps and convey this information to users in an accessible way on the app stores so they can make clear decisions.
Immediate regulation to mandate security and privacy requirements on app store operators This intervention was ultimately assessed to be a disproportionate and premature measure. As the results of the Ipsos MORI consumer survey showed, 96% of users currently download apps mostly through the Google Play Store and Apple’s App Store. While changes to the ecosystem could result in a growing number of users downloading apps via third party stores, it is still too early to see what the outcome of the various regulatory developments and antitrust cases will be. It would therefore be more prudent to wait for more clarity on the future app store ecosystem. Immediate regulation would likewise be premature if we are yet to know the positions that other governments are taking and could be seen as the UK acting unilaterally, when the government is aiming for international alignment. Additionally, the government feels it is essential that any security and privacy requirements are tested with stakeholders, particularly those that are part of the app store ecosystem, to ensure that a multi-stakeholder process is taken for this area prior to any regulation being considered.
Certification for operators via digital trustmark/rating label based on compliance to requirements A certification scheme for app store operators could award a digital trustmark or label to stores based on their compliance to security and privacy requirements. This would be beneficial to users as they would be able to identify which app stores that are following best practice. A challenge would be ensuring that users fully understood what the mark/label meant. Users may think that it implies that all apps available on the app store are secure when in fact they may contain vulnerabilities. One could argue, it could also represent a significant burden on operators, particularly for smaller app stores, thereby stifling innovation. This option would also be limited if the UK was the only country to endorse app store certification. We will keep this option under consideration and would welcome feedback on this initiative.
Certification of requirements for each individual app to go through an assurance process An alternative form of certification would be to set requirements for each individual app to go through an assurance process. While there would be some common ground across platforms, there would also need to be significant differences based on different types of device or operating systems. Apps will also have different security requirements depending on their functionality. Attempting to define requirements for all apps over all platforms would not be practical under a single certification. An assurance scheme would necessitate long-term technical support, as the requirements would need to be updated frequently. Additionally, we would need to consider the international implications for this area. It could also be damaging to digital innovation. The government has also considered the benefits of independent self-certification for particular use-cases of apps. We advocate that this should be industry led. We recognise that there are some industry organisations that are currently offering this to companies and we acknowledge the positive efforts that are being taken to improve the security and privacy of apps to help protect users.
Provide guidance for third party services to help developers build apps The government could encourage support for third party services that help developers build apps in accordance with security and privacy best practice. These third party services could also help facilitate effective supply chain management, for example, by ensuring that developers are not using compromised third party libraries in their code. However, the government is cautious about proceeding with this option, as we do not want to stifle digital innovation. While app store operators can delegate efforts to third parties, the risk is ultimately theirs to own. It is unclear whether third party services would obtain a significantly greater level of expertise than app developers currently possess. It is also likely that larger app developers would prefer to develop this capability in-house, and smaller app developers are unlikely to want to take on extra cost if not mandated.

Annex C: Call for views survey questions

The survey includes an introduction page which provides an overview of the survey, instructions for completing it, a privacy notice and a question asking participants to state if they are willing to share data with DCMS in accordance with the privacy notice. The other survey questions are set out below.

Demographic questions

1.Are you responding as an individual or on behalf of an organisation?

  • Individual
  • Organisation

2.[if individual] Which of the following statements best describes you?

  • Cyber security professional
  • Developer working for an app development company
  • Independent app developer
  • Consumer expert/advocate
  • Academic
  • Interested member of the public
  • Government official
  • Other [if selected, then a please specify text box appears]

3.[if organisation] Which of the following statements best describes your organisation?

  • An app development company
    • That publishes apps on official app stores
    • That publishes apps on third-party app stores
    • That publishes apps on both official and third-party app stores
  • An app store operator
  • A mobile security provider
  • A cyber security provider
  • An educational institution
  • A consumer group/organisation
  • Government
  • Other [if selected, then a please specify text box appears]

4.[if organisation], What is the size of your organisation?

  • Micro (fewer than 10 employees)
  • Small (10-49 employees)
  • Medium (50-250 employees)
  • Large (more than 250 employees)

5.[if individual], Where are you based?

  • England
  • Scotland
  • Wales
  • Northern Ireland
  • Europe (excluding England, Scotland, Wales and Northern Ireland)
  • North America
  • South America
  • Africa
  • Asia
  • Oceania (Australia and surrounding countries)
  • Other [if selected, then a please specify text box appears]

6.[if organisation], Where is your organisation headquartered?

  • England
  • Scotland
  • Wales
  • Northern Ireland
  • Europe (excluding England, Scotland, Wales and Northern Ireland)
  • North America
  • South America
  • Africa
  • Asia
  • Oceania (Australia and surrounding countries)
  • Other [if selected, then a please specify text box appears]

7.Are you happy for DCMS to contact you to discuss your response to this Call for Views further?

  • Yes
  • No

[If yes], Please provide us with a contact name, organisation (if relevant) and email address.

Section 1: Review and Proposed Interventions

In this section, we would like your views on the review into app security and privacy, including its scope, and the proposed voluntary Code of Practice. This includes the rationale for the Code, its potential impact and whether any additional interventions should be considered.

8.Do you agree with the review including all types of app stores within its scope (e.g. stores for mobile devices, smart wearables, voice assistants, gaming stores, etc.) regardless of where their operators are based or what type of device they support?

  • Yes
  • No
  • Don’t know

[If you answered ‘no’], Please specify the type of app stores that should be excluded, and why? (300 words)

9.Are there any additional security and privacy issues or bad practice in the app ecosystem that you would like to raise separate from those in the publication document?

  • Yes
  • No
  • Don’t know

[If yes], Please provide evidence (if possible) and reasons for your answer. (400 words)

The government’s publication document noted that the rationale for a Code of Practice for App Store Operators and Developers that sets out baseline security and privacy requirements is that:

  • A Code of Practice represents a cross-cutting mechanism that would incorporate multiple stakeholders and provide clarity on their responsibilities.
  • A Code of Practice would also provide an opportunity for developers and app store operators to improve their practices.
  • A Code of Practice would also proactively prepare the UK market for potential changes to the mobile ecosystem. It could also provide a potential route for mandating requirements should the ecosystem change.
  • As the threat report showed, app stores, regardless of their type, fundamentally share a threat profile. A Code of Practice could therefore be applicable to all types of app stores which would help protect more users across different devices.

10.Do you support the need for a voluntary Code of Practice for App Store Operators and Developers that sets out baseline security and privacy requirements?

  • Yes
  • No
  • Don’t know

[If you answered no], Please provide reasons for your answer. (300 words)

[If answered yes], Beyond the points set out in the previous question, are there any other reasons why you support the need for a voluntary Code of Practice? Please leave blank if there are no additional points to raise. (300 words)

11.Would there be any challenges (costs, resources, etc.) from implementing the Code of Practice that has not been set out in the publication document?

  • Yes
  • No
  • Don’t know

[If answered yes], Please provide evidence and reasons for your answer. (500 word limit)

12.Are there other interventions that the government should consider to help protect users from malicious and insecure apps whilst ensuring that developers meet security and best practice?

  • Yes
  • No
  • Don’t know

[If answered yes], Please provide evidence and reasons for your answer. (300 word limit)

Section 2: Code of Practice Principles

In this section, we would like to get your views on the seven principles laid out in the Code of Practice. We will ask you about each principle in turn, including whether the principle should be included in the Code of Practice and whether any other principles should be considered.

Principle 1: Ensure only legitimate apps that meet security and privacy best practice are allowed on the app store

  • App store operators shall have a vetting process for approving app submissions and a separate process for reviewing apps that are already available on a store, for example to help detect malicious code in apps when they receive updates.
  • App store operators shall remove an app that has been identified as being malicious as soon as possible.
  • App stores shall also have a mechanism to detect and report apps that are fraudulent, such as those spoofing known legitimate brands.
  • The app store vetting process shall adhere to the general security requirements set out in data protection law.

13.Do you support the inclusion of this principle within the Code of Practice?

  • Yes
  • No
  • Don’t know

Please provide feedback on your answer, including on the wording of the principle, in the box below alongside your reasons and any evidence. (300 words)

Principle 2: Implement vulnerability disclosure processes

  • Every app shall have a vulnerability disclosure process and policy (including contact details) which is created by the developer and checked by the operators to ensure that communication can easily happen if the app needs to be updated or is marked as malicious. This process shall also ensure that vulnerabilities can be reported without making them publicly known to malicious actors. These contact details shall be clearly visible on the app store so that users and security researchers can directly contact them. The above actions align with requirements set out under data protection law (see article 13 of UK GDPR).
  • App stores shall provide guidance for developers on how to establish a robust vulnerability disclosure process.
  • App stores shall have an app reporting system (including visible contact details) so that users and security researchers can report malicious apps, and developers can report fraudulent copies of their own app to the app store.
  • The app stores shall have a vulnerability disclosure policy so that a user, security researcher or other stakeholder can report any vulnerabilities found in the app store platform to the operator.

14.Do you support the inclusion of this principle within the Code of Practice?

  • Yes
  • No
  • Don’t know

Please provide feedback on your answer, including on the wording of the principle in the box below alongside your reasons and any evidence. (300 words)

Principle 3: Keep apps updated to protect users

  • Developers shall provide updates to patch security vulnerabilities within their apps as soon as they are identified.
  • When a developer submits a security update for an app, the app store shall encourage users to update the app to the latest version.
  • The app store should not reject standalone security updates, without providing strong justification to the developer as to why this has happened.

15.Do you support the inclusion of this principle within the Code of Practice?

  • Yes
  • No
  • Don’t know

Please provide feedback on your answer, including on the wording of the principle, in the box below alongside your reasons and any evidence. (300 words)

Principle 4: Provide important security and privacy information to users in an accessible way

  • When an app store operator removes an app, they shall notify users of its removal.
  • App stores shall also inform users about an app’s usage and storage of data, when the app was last updated, the average cadence of updates and relevant security information.
  • App stores shall display the permissions required by the app, such as access to contacts, location, and the device’s camera, along with justifications for why each of these permissions are needed. Developers shall provide this information, and ensure it’s up to date whenever a new version is published.
  • App stores should display user reviews for apps, the total number of downloads, and the name and location of the app developer.
  • Developers shall ensure that an app functions, except for functionality that explicitly requires those permissions, if users decide not to allow one or more of the permissions requested.

16.Do you support the inclusion of this principle within the Code of Practice?

  • Yes
  • No
  • Don’t know

Please provide feedback on your answer, including on the wording of the principle, in the box below alongside your reasons and any evidence. (300 words)

Principle 5: Enterprise app stores shall be secured where provided

  • App stores can offer organisations mechanisms to set up private app stores, curated for their employees.
  • These app stores shall be protected against malicious actors using them as a backdoor into their organisation or as a mechanism to distribute malicious apps to consumers.
  • If the organisation intends to create an app store that involves processing employee data, it shall be required to implement security measures which are required under data protection law to ensure that employee data is protected.

17.Do you support the inclusion of this principle within the Code of Practice?

  • Yes
  • No
  • Don’t know

Please provide feedback on your answer, including on the wording of the principle, in the box below alongside your reasons and any evidence. (300 words)

Principle 6: Promote security and privacy best practice to developers

  • App store operators shall clearly set out security and privacy requirements for apps on the app store, published in a location that does not require purchasing access by developers.
  • App store operators shall also provide information on what is considered best security and privacy practice where that goes beyond the standard requirements.
  • App store operators should support app developers in implementing effective supply chain management, such as by monitoring common third party libraries and services, which may be used as a threat vector across multiple apps.

18.Do you support the inclusion of this principle within the Code of Practice?

  • Yes
  • No
  • Don’t know

Please provide feedback on your answer, including on the wording of the principle, in the box below alongside your reasons and any evidence. (300 words)

Principle 7: Provide upfront and clear feedback to developers by app stores

  • App store operators should provide a mechanism for developers to receive feedback throughout the app development process, prior to the developer submitting the app for approval. The app store operator can decide how this feedback is provided but it should be detailed and transparent, for example, through a development environment made available by the app store operator.
  • When an app submission is rejected, the app store operator should provide detailed feedback, justifying the rejection of the app, and making clear what elements would need to change in order for the app to be acceptable.
  • When an app store operator removes an app for security or privacy reasons, they shall notify the developer of its removal, and provide feedback explaining the removal.

19.Do you support the inclusion of this principle within the Code of Practice?

  • Yes
  • No
  • Don’t know

Please provide feedback on your answer, including on the wording of the principle, in the box below alongside your reasons and any evidence. (300 words)

20.Are there any principles missing from the current version of the Code of Practice?

  • Yes
  • No
  • Don’t know

[If answered yes] Please set out any new principles that you think should be included and explain why. (300 words)

Other feedback

21.Do you support the commencement of work to explore how the Code of Practice’s requirements could potentially be mandated in the future? (Noting that around the globe, there are various investigations and regulatory initiatives being progressed that have the potential to impact the regulatory system around mobile app stores).

  • Yes
  • No
  • Don’t know

Please provide reasons for your answer. (300 words)

22.Thank you for taking the time to complete the survey. We really appreciate your time. Is there any other feedback that you wish to share?

  • Yes
  • No
  • Don’t know

[If yes], Please set out your additional feedback in the box below. (500 words)

  1. Applications, or apps, are defined in this document as non-integral software packages that can run on a user’s device to add custom functionality or obtain specific content. 

  2. Apps are typically downloaded by consumers and managed via digital stores, known as app stores. App stores make apps created by multiple developers, not just the store’s operator, available to download, and allow the user to browse for specific apps, such as via search functionality. Web applications are an exception to this, as they rely purely on web technologies, and only run within the browser. 

  3. Websites which serve as portals that allow users to browse for apps but do not directly host the software, instead linking to other platforms where users can download apps, were not in scope for this review. An official app store is an app store provided by the platform developer, such as Apple for iOS and Google for Android, or by the original equipment manufacturer (OEM), such as the Samsung Galaxy Store on Samsung Galaxy mobile devices. While official app stores are typically pre-installed on a device in the case of mobile devices, third party app stores, which are provided by third parties, require users to install them separately. 

  4. Malicious apps are defined as apps which perform activity or acquire data beyond the stated purpose of the app and definitions in the privacy policy. 

  5. This review was carried out by the Department for Digital, Culture, Media & Sport (DCMS). DCMS worked closely with the National Cyber Security Centre (NCSC) to gather evidence and test proposals. 

  6. User safety is not in scope of this review, nor is the security of app store platforms or policy around competition linked to digital markets. However, these areas are addressed within wider Government activity and are described in greater detail in Chapter 2. 

  7. As outlined in the description of the NCSC threat report in Chapter 5, these are mobile app stores, IoT (internet of things) voice assistant app stores, IoT smart devices stores and gaming stores. 

  8. App store operators also receive subscription fees from developers who wish to publish on their stores. Apple, for example, charges developers $99 a year to be part of its Apple Developer Program. See: Apple Developer, “Enrollment”

  9. https://www.gov.uk/government/consultations/app-security-and-privacy-interventions 

  10. The proposals suggested in this document will also help to build the UK’s national resilience as set out in the Integrated Review of Security, Development, Defence and Foreign Policy (2021). Specifically, they will contribute to a “whole-of-society” approach to resilience so that individuals, businesses and organisations all play a part in building resilience across the UK 

  11. https://www.gov.uk/government/collections/the-product-security-and-telecommunications-infrastructure-psti-bill-factsheets 

  12. https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy 

  13. https://bills.parliament.uk/bills/3137 

  14. https://bills.parliament.uk/bills/3137 

  15. https://www.gov.uk/government/consultations/a-new-pro-competition-regime-for-digital-markets 

  16. https://www.gov.uk/government/collections/digital-markets-unit 

  17. IBISWorld, “App Development in the UK”, September 2021, p21 

  18. In the case of banking, apps also facilitate open banking, allowing users to easily switch between accounts. 

  19. https://www.gov.uk/government/news/new-one-stop-service-for-govuk-unveiled 

  20. Web applications are an exception to this, as they rely purely on web technologies, and only run within the browser. 

  21. RiskIQ, “2020 Mobile App Threat Landscape Report”, 2021, p4 

  22. RiskIQ, “2020 Mobile App Threat Landscape Report”, 2021, p4 

  23. Mobile devices running Android, for example, are primarily supported by Google’s Play Store, but can also download third party app stores via the web. 

  24. Business of Apps, “App Stores List (2020)”, 10 June, 2021; Wandera “An insight into third party app stores”, 18 February, 2018 

  25. IBISWorld, “App Development in the UK - Market Size 2010-2028”, 6 September, 2021 

  26. IBISWorld, “App Development in the UK” p.7 

  27. Apple - Official Site, “UK iOS app economy has a breakthrough year, grows to support 330,000 jobs”, 15 March, 2021 

  28. 42matters, “United Kingdom App Market Statistics in 2021 for Android”, 42matters, 27 August, 2021 

  29. App Annie, “Winning the Attention War: Consumers in Nine Major Markets Now Spend More than Four Hours a Day”, 8 April, 2021 

  30. IBISWorld, UK Industry Report, “App Development in the UK”, September 2021, p.9 

  31. IBISWorld, UK Industry Report, “App Development in the UK”, September 2021, p.13 

  32. Sensor Tower, “Sensor Tower’s Q2 2020 Data Digest: Global App Ecosystem Sets New Record With 37.8 Billion Downloads”, 16 July, 2020 

  33. GOV.UK, “Consumer Attitudes Towards IoT Security”, December 2020. The question about app store usage was a multi-choice option, so some of the participants may have been using two or more stores to download apps. 

  34. Malware is malicious software intentionally designed to cause harm to a device and its users, such as by stealing data, holding data to ransom or hijacking a device’s resources to mine cryptocurrency or attack other devices as part of a botnet. 

  35. NCSC Assessments Paper 

  36. BBC News, “Iran ‘hides spyware in wallpaper, restaurant and games apps”, 8 February, 2021 

  37. While many ransomware variants for mobile devices lock the victim’s screen rather than encrypting their data, there are examples of mobile ransomware that encrypts data: BleepingComputer, “Lucy malware for Android adds file-encryption for ransomware ops”, 28 April, 2020 

  38. Zscaler, “Joker Joking in Google Play”, 20 June 2021 and confirmation as well details on some of the actions that Google have been taking can be found at Google Security Blog, “PHA Family Highlights: Bread (and Friends)”, 9 January 2020 

  39. Sky News, “East Asian organised crime group preying on British job seekers”, 7 September, 2021 

  40. Unit 42, “Malware XcodeGhost Infects 29 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users”, 18 September, 2015, 

  41. Apple Developer, “Validating Your Version of Xcode”, 22 September 2015 

  42. Google Play, Developer Policy Center, and Apple Developer, “[App Store Review Guidelines]https://developer.apple.com/app-store/review/guidelines/”, 

  43. “2020 Mobile App Threat Landscape Report” p.4 and p.7 

  44. RiskIQ, “2020 Mobile App Threat Landscape Report”, p.3 

  45. Google, “Android Security & Privacy 2018 Year In Review”, March 2019, ; Apple, “Building a Trusted Ecosystem for Millions of Apps”, June 2021, 

  46. Google allows Android users, should they choose to do so, to temporarily turn off the limitation of only downloading apps through the Google Play Store via their standard settings. For iOS, this would require that the device was jailbroken. 

  47. National Cyber Security Centre, “Fake ‘missed parcel’ messages: advice on avoiding banking malware”, 23 April 2021 

  48. Specifically, connected software applications that are designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary. 

  49. GOV.UK, “CMA to scrutinise Apple and Google mobile ecosystems”, 15 June, 2021, 

  50. GOV.UK, “Mobile ecosystems: market study interim report”, 14 December, 2021, p.375 

  51. GOV.UK, “A new pro-competition regime for digital markets”, 20 July, 2021, 

  52. The European Commission, “The Digital Markets Act: ensuring fair and open digital markets” 

  53. Japan Fair Trade Commission, “Closing the Investigation of the Suspected Violation of the Antimonopoly Act by Apple Inc.”, 2 September, 2021 

  54. The operators chosen for this study were selected based on a Ipsos MORI survey commissioned by DCMS findings which indicated that UK consumers predominantly use six app stores: Google, Apple, Microsoft, Samsung, Huawei and Amazon. Five third party app stores (Aptoide, GetJar, UpToDown, APKPure and Cydia) were selected based on research indicating that they are used by many developers. The study involved creating an app with various features to identify what information is provided on the various areas in the app development process. In light of the publication date, there is a possibility that the findings do not reflect the latest position of all the eleven app stores. The other limitations were that the app tested across the stores was not submitted for final review. Also, the fact that there is no official record of the repositories Cydia uses for app submissions has meant that not all of the information regarding app submission for Cydia could be gathered. 

  55. https://www.apadmi.com/insights/blog/how-app-development-across-various-app-stores-uses-security-and-privacy/. The categories of app stores examined in the paper were mobile app stores, IoT (internet of things) voice assistant app stores, IoT smart devices stores and gaming stores, including both stores on gaming consoles and on PC. 

  56. https://www.ncsc.gov.uk/report/threat-report-on-application-stores 

  57. ibid 

  58. ibid 

  59. Ipsos literature review 

  60. https://www.ncsc.gov.uk/report/threat-report-on-application-stores 

  61. WIRED, “How Spies Snuck Malware Into the Google Play Store - Again and Again”, 28 April, 2020 

  62. A prompt response from Fitbit has seen the introduction of a ‘warning message for users within the UI when installing an app from a private link’ and ‘adjusting default permission settings during the authorization [sic] flow to being opted out by default’. All applications uploaded to the Fitbit public store undergo a manual review to determine if the software contains malicious code. However, this does not address those uploaded privately such as in this case. See: Immersive Labs, “Research: Can you build spyware for a Fitbit?”, 9 October, 2020, and Fitbit SDK, “Publishing Guide”, 

  63. Insert URL when available 

  64. Thales, “Thales: building trust in mobile apps: The consumer perspective”, 

  65. The National Cyber Security Alliance, “Cybersecurity Awareness Month: Survey Report”, September 2020, 

  66. [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/978685/Consumer_Attitudes_Towards_IoT_Security_-Research_Report.pdf](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/978685/Consumer_Attitudes_Towards_IoT_Security-_Research_Report.pdf) 

  67. Ipsos literature review 

  68. Ibid. 

  69. Ibid. Privacy info - it is done in a way that people are likely to engage with it (from a developer and user perspective), not deliberately pushing people into a particular decision. 

  70. Ibid. 

  71. Ibid. 

  72. https://www.apadmi.com/insights/blog/how-app-development-across-various-app-stores-uses-security-and-privacy/ As mentioned above, this report was published in August 2021, so there is the possibility it does not reflect the latest position of all the eleven app stores. The app tested across the stores was not submitted for final review, which is when specific security and privacy requirements may be communicated. 

  73. These were Aptoide, GetJar, UpToDown, APKPure and Cydia. There is no official record of the repositories Cydia uses for app submissions, meaning not all of the information regarding app submission could be gathered. 

  74. The twelve features were encryption, advertiser tracking, permissions, code signing, application data, network security, jailbreaking, logging, third party libraries, screen recording, obfuscation, privacy policies and terms and conditions. 

  75. https://www.apadmi.com/insights/blog/how-app-development-across-various-app-stores-uses-security-and-privacy/ 

  76. Ibid. 

  77. Ibid. 

  78. Ibid. 

  79. As with the developer documentation, these statements on the provision of training material provided by operators reflect the date of the report’s publication in August 2021. It is possible that they may not reflect the latest position of all the eleven app stores. 

  80. https://www.apadmi.com/insights/blog/how-app-development-across-various-app-stores-uses-security-and-privacy/ 

  81. https://www.apadmi.com/insights/blog/how-app-development-across-various-app-stores-uses-security-and-privacy/ 

  82. https://www.apadmi.com/insights/blog/how-app-development-across-various-app-stores-uses-security-and-privacy/ 

  83. See https://www.gov.uk/government/consultations/app-security-and-privacy-interventions/literature-review-on-security-and-privacy-policies-in-apps-and-app-stores 

  84. The Government may need to consider how to balance security and digital access to Government apps as the market diversifies to ensure people can access important information and services. 

  85. UK GDPR Article 5(1)(f), 25 and 32. For more information on security requirements and data protection by design and default see: Information Commissioner’s Office, “Guide to the General Data Protection Regulation (GDPR)” and “Data protection by design and default” 

  86. National Cyber Security Centre, “Vulnerability Disclosure Toolkit”, 14 September, 2020, 

  87. If developers are processing personal data that is likely to result in a high risk to individuals then a data protection impact assessment (DPIA) should be carried out prior to any processing. A DPIA is one aspect of demonstrating accountability. See: “Guide to the General Data Protection Regulation (GDPR)” 

  88. The Children’s Code links to guideline 3 and 4 in that it requires that certain functionality, such as geolocation, is off unless the service provider can justify why it should be on by default, taking into account the best interests of the child. See: “Age appropriate design: a code of practice for online services”. Guidance to support the implementation of the Children’s Code can be found here: The Children’s code design guidance, ICO 

  89. See for example, UK GDPR Articles 5(1)(a), 5(1)(f), 24, 25 and 32. 

  90. The Information Commissioner’s Office,“The Children’s code design guidance” 

  91. The Open Web Application Security Project - A non-profit web project which provides free resources primarily on the topic of web security. 

  92. Mobile Security Testing Guide, “Mobile AppSec Verification Standard” 

  93. The ioXt Alliance is a group focused on the security of “internet of things” devices. 

  94. ioXt Alliance, “ioXt 2020 Mobile Application Profile”, 10 December, 2020 

Back to top