New rules for apps to boost consumer security and privacy


Consumers will be better protected from malicious apps that can steal data and money, due to new privacy and security rules for app store operators and developers
Millions of people across the UK use apps on their smartphones, game consoles and smart TVs for a wide range of everyday activities such as work, communication, entertainment and banking.

However, there’s a lack of rules governing the security of apps and the app stores where they are accessed. It means there is a threat that people’s privacy and security could be put at risk because apps containing corrupted software, known as malware, can allow criminals to steal data and money, and mislead users.
Consumers are also often unable to make informed choices when deciding to download an app because they don't have important information such as who has access to their data, or where it is stored and processed.
In response to a call for views earlier this year, the government will request that the app industry signs up to a new code of practice which will boost security and privacy requirements on all apps and app stores available in the UK. The voluntary code of practice for app developers and operators is a world-first and will protect the UK’s app market, with the mobile app market alone generating more than £74 billion in revenue last year. 
The new measures include requiring apps to have a process so that security experts can report software vulnerabilities to developers, making sure security updates are highlighted properly to users and that security and privacy information is provided to users in a clear and easy-to-understand way. Cyber minister Julia Lopez said: “More people are using apps to pay bills, play games and stay in touch with loved ones, with so much of our day-to-day activities now online.
“Consumers should be able to trust that their money and data is in safe hands when using apps and these measures will not only boost our digital economy but also protect people from fraud. “We’ve already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks we rely on. Today we are taking steps to get app stores and developers to keep customers even safer in the online world.” 
The government will work with operators and developers to support them with implementing the voluntary code over a nine-month period. This includes companies such as Apple, Google, Amazon, Huawei, Microsoft, LG, Epic Games, Nintendo, Valve, Sony and Samsung.Alongside this, the Department for Digital, Culture, Media and Sport (DCMS) will work to explore what current laws could be extended to cover apps and app stores and whether regulation is needed to mandate the code in the future. 
Under the code, app store operators and developers will need to: 

  • Share security and privacy information in a user-friendly way with consumers. Examples include when an app is made unavailable on an app store, when an app was last updated and the locations where users’ data are stored and processed for each app. 
  • Allow their apps to work even if a user chooses to disable optional functionality and permissions, such as preventing the app accessing a microphone or knowing a user's location.
  • Have a robust and transparent app vetting process in place which ensures only apps which meet the code’s minimum security and privacy rules are published on their stores.
  • Provide clear feedback to developers when an app is not published on their store for security or privacy reasons.
  • Have a vulnerability disclosure process in place, such as a contact form, so software flaws can be reported and resolved without being made publicly known for malicious actors to exploit.
  • Ensure developers keep their apps up to date to reduce the number of security vulnerabilities in apps.

Many developers and operators already follow some of these requirements and those which adopt the code will be able to demonstrate they’re following its principles by declaring this on their company website, app website or app store. The government is collaborating with international partners to develop international support for the code and will explore the possibility of creating an international standard for apps and app stores.

The new voluntary rules are part of the government’s £2.6 billion National Cyber Strategy which aims to protect and promote the digital economy, strengthen the UK’s cyber resilience and ensure businesses have the best security standards in place to protect their users.

Paul Maddinson, NCSC Director of National Resilience and Strategy, said: “Our devices and the apps we rely on are increasingly essential to everyday life, and it’s important that developers and store operators take steps to protect users.“By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps.”

Rocio Concha, Which? Director of Policy and Advocacy, said: “Apps bring a lot of convenience to our everyday lives, but rogue apps making their way onto the biggest app stores are a security and privacy minefield – putting consumers at huge risk from data theft and scams. “The government’s announcement of a new voluntary code is a positive step towards making apps more secure. The app market must now be monitored closely for improvements and to check whether tech firms are falling short in protecting consumers.”

Add a Comment

No messages on this article yet

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter