New measures include better reporting of software vulnerabilities and more transparency for users on the privacy and security of apps available on all app stores
Government will work with operators and developers over nine-month period to ensure adoption of voluntary rules
Consumers will be better protected from malicious apps which can steal data and money, thanks to new privacy and security rules for app store operators and developers.
Millions of people across the UK use apps on their smartphones, game consoles and smart TVs for a wide range of everyday activities such as work, communication, entertainment and banking.
However, there’s a lack of rules governing the security of apps and the app stores where they are accessed. It means there is a threat that people’s privacy and security could be put at risk because apps containing corrupted software, known as malware, can allow criminals to steal data and money, and mislead users.
Consumers are also often unable to make informed choices when deciding to download an app because they don’t have important information such as who has access to their data, or where it is stored and processed.
In response to a call for views earlier this year, the government will request that the app industry signs up to a new code of practice which will boost security and privacy requirements on all apps and app stores available in the UK.
The voluntary code of practice for app developers and operators is a world-first and will protect the UK’s app market, with the mobile app market alone generating more than £74 billion in revenue last year.
The new measures include requiring apps to have a process so that security experts can report software vulnerabilities to developers, making sure security updates are highlighted properly to users and that security and privacy information is provided to users in a clear and easy-to-understand way.
Cyber minister Julia Lopez said:
More people are using apps to pay bills, play games and stay in touch with loved ones, with so much of our day-to-day activities now online.
Consumers should be able to trust that their money and data is in safe hands when using apps and these measures will not only boost our digital economy but also protect people from fraud.
We’ve already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks we rely on. Today we are taking steps to get app stores and developers to keep customers even safer in the online world.
The government will work with operators and developers to support them with implementing the voluntary code over a nine-month period. This includes companies such as Apple, Google, Amazon, Huawei, Microsoft, LG, Epic Games, Nintendo, Valve, Sony and Samsung.
Alongside this, the Department for Digital, Culture, Media and Sport (DCMS) will work to explore what current laws could be extended to cover apps and app stores and whether regulation is needed to mandate the code in the future.
Under the code, app store operators and developers will need to:
Share security and privacy information in a user-friendly way with consumers. Examples include when an app is made unavailable on an app store, when an app was last updated and the locations where users’ data are stored and processed for each app.
Allow their apps to work even if a user chooses to disable optional functionality and permissions, such as preventing the app accessing a microphone or knowing a user’s location.
Have a robust and transparent app vetting process in place which ensures only apps which meet the code’s minimum security and privacy rules are published on their stores.
Provide clear feedback to developers when an app is not published on their store for security or privacy reasons.
Have a vulnerability disclosure process in place, such as a contact form, so software flaws can be reported and resolved without being made publicly known for malicious actors to exploit.
Ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps.
Many developers and operators already follow some of these requirements and those which adopt the code will be able to demonstrate they’re following its principles by declaring this on their company website, app website or app store.
The government is collaborating with international partners to develop international support for the code and will explore the possibility of creating an international standard for apps and app stores.
The new voluntary rules are part of the government’s £2.6 billion National Cyber Strategy which aims to protect and promote the digital economy, strengthen the UK’s cyber resilience and ensure businesses have the best security standards in place to protect their users.
Paul Maddinson, NCSC Director of National Resilience and Strategy, said:
Our devices and the apps we rely on are increasingly essential to everyday life, and it’s important that developers and app store operators take steps to protect users.
By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps.
Rocio Concha, Which? Director of Policy and Advocacy, said:
Apps bring a lot of convenience to our everyday lives, but rogue apps making their way onto the biggest app stores are a security and privacy minefield – putting consumers at huge risk from data theft and scams.
The government’s announcement of a new voluntary code is a positive step towards making apps more secure. The app market must now be monitored closely for improvements and to check whether tech firms are falling short in protecting consumers.
Notes to Editors:
App stores are available for various devices, including desktops, smartphones, game consoles, smart TVs, wearable devices and smart speakers.
The full call for views response can be found here
The voluntary Code of Practice for App Store Operators and App Developers can be found here
There is more information in the Written Ministerial Statement to Parliament
DCMS is backing the country’s powerhouse sectors to grow the economy and make a difference where people live.
The digital sector contributes approximately £143 billion to the economy. There are 1,822,000 jobs in the sector, 250,000 more than in 2019 before the pandemic. Exports of services by the digital sector were worth £56 billion in 2020, which is around a fifth of the UK’s total service exports.
As part of the government’s work to boost cyber resilience, it has also today published the second wave of the Cyber Security Longitudinal Study which shows how organisations are making steady progress in adopting cyber security measures, with 85 per cent of businesses and 86 per cent of charities taking action to improve their cyber security in the past 12 months