The UK Government has announced plans for a “world first” code of practice to strengthen security protections across the app market.
Unveiled today, the new voluntary code aims to better protect users from malicious apps available on app stores such as Google Play and the App Store.
The new measures include requiring app developers to introduce processes that enable security experts to report software vulnerabilities and ensure that privacy information is more readily available.
In addition, the code will see the creation of a more “robust and transparent” vetting process for apps, require developers to keep apps up-to-date, and allow users to use applications even if they choose to disable certain functionalities, such as microphone access or location tracking.
As part of the move, the government said it will work closely with developers and operators to implement the code over a nine-month period. This will include collaboration with organisations including Apple, Google, Amazon, Huawei, Microsoft, Sony and Samsung.
Cyber minister Julia Lopez said the new policy aims to enhance trust in app ecosystems and improve safety.
“We’ve already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks we rely on,” she said. “Today, we are taking steps to get app stores and developers to keep customers even safer in the online world.”
National Cyber Strategy
The new voluntary rules form part of the government’s National Cyber Strategy, which aims to protect and support the UK’s digital technology sector and strengthen national cyber resilience.
The National Cyber Security Centre (NCSC) has backed the move as a positive step to creating a more transparent and secure app ecosystem for UK consumers and businesses.
“Our devices and the apps we rely on are increasingly essential to everyday life, and it’s important that developers and app store operators take steps to protect users,” said Paul Maddinson, director of national resilience and strategy at the NCSC.
“By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps,” he added.
Business Applications
The proliferation of malicious software on app stores has raised concerns for both consumers and business users in recent months. Research from Malwarebytes in November found that the Google Play store, for example, featured apps which infected devices with malware and malicious pop-up ads.
In total, the study found that just four malicious apps were downloaded over a million times by Android users.
This issue hasn’t gone unnoticed by operators either. Earlier this year, Android announced new policies for Play Store which aimed to mitigate security risks and force developers to update older apps.
For larger businesses, operating within a monitored and regulated applications environment provides a degree of security to mitigate threats and allow the use of safe, authorised apps.
However, small businesses and start-ups increasingly rely on a range of open source applications to support operations; from managing aspects of their business to boosting productivity and communications.
Michael White, technical director and principal architect at the Synopsys Software Integrity Group told IT Pro that the new code of practice could address lingering security concerns around the use of open source software by small businesses.
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
“This new code of practice promotes a sensible baseline and can be achieved using a variety of automated approaches and off-the-shelf tools to help developers achieve compliance in a non-intrusive way,” he explained.
“What should not be overlooked is the importance of transparency in the software supply chain. This includes exchange of Software Bill of Material (SBOM) information which may allow both app developers as well as app store operators to understand when an application component vulnerability exists, and alert app developers to the fact that a security review or upgrade may be needed.
“A good example of the need for SBOM transparency was highlighted by the widely-known Log4J vulnerability last year, however this was by no means an isolated occurrence: newly disclosed security vulnerabilities for open source software components are entered into public vulnerability databases every single day, many of which are of lower impact but some are occasionally quite severe.”
Mark Lamb, CEO of HighGround, welcomed the decision, adding that the new code of practice will help improve transparency and place a stronger focus on robust security practices across the UK's app market.
“This is definitely a good thing, particularly for the Google Play store, because Apple is already very strict around its own App store," he said.
“It will significantly increase the burden on developers to be more transparent on how apps are built, which in turn will allow consumers to make more informed decisions on app purchases, which they previously might not have questioned.”
Stuart Smith, partner and corporate and commercial lawyer at Simkins, echoed Lamb’s comments. However, he questioned how the new rules might be enforced given their status as a voluntary code.
“If implemented thoroughly, the code should result in cleaner app stores, with greater visibility for apps that are transparent about their functionality, comply with baseline security requirements, and are regularly updated,” he said.
“The DCMS say there will be a nine month period for adherence, and that they will initially focus on assessing adherence by app store operators, but this is still clearly described as a voluntary code, and so it remains very unclear what, if anything, DCMS can really do if app store operators choose not to adhere to the code,” Smith added.
