Government proposes ‘world-first’ new security regime for app stores
Consultation launched on code of practice for Apple, Google and others – although adherence would be voluntarily
The government has proposed the implementation of what it describes as first-of-its-kind security rules for app stores – although adherence would remain on a voluntary basis.
A consultation has been launched on plans to introduce a “robust set of interventions” to protect consumers from “malicious apps”, including those designed to defraud users and infect their devices with malware.
“The main intervention the government is proposing at this initial stage is a voluntary code of practice for all app store operators and developers,” said the Department for Digital, Culture, Media and Sport. “This is because we recognise that the most effective current way of protecting users at scale from malicious and insecure apps, and ensuring that developers improve their practices, is through app stores.”
The makers of the smartphone market’s two dominant operating systems, Apple and Google, would – voluntarily – be subject to the new code, as would the operators of all other app stores for mobile devices, televisions and games consoles, the government said. This will include Amazon, Microsoft, Huawei and Samsung.
The code they will potentially be asked to sign up to will set out “baseline security and privacy requirements”, and would also require signatories to implement a “vulnerability reporting process for each app so flaws can be found and fixed quicker”.
- DCMS seeks leader for smart device security policy team
- Digital minister says government will pass law to make smart devices safer ‘as soon as we can’
- Labour MP: If a device is called ‘smart’ – don’t buy it
Platforms will also be asked to provide more – and more accessible – information on “why an app needs access to users’ contacts and location”.
The proposals were announced in light of a new report from the National Cyber Security Centre that “identifies systemic vulnerabilities that have been used by attackers to exploit app stores”.
NCSC technical director Ian Levy said: “Our devices and the apps that make them useful are increasingly essential to people and businesses and app stores have a responsibility to protect users and maintain their trust. Our threat report shows there is more for app stores to do, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause harm. I support the proposed Code of Practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”
The consultation process on the code of practice and other potential government interventions is open for responses until 11.45pm on 29 June. All “stakeholders” in the app store sector are invited to participate, with DCMS especially keen to hear “from developers on the review and feedback processes they have encountered when creating apps on different app stores”.
Julia Lopez, minister for media, data and digital infrastructure, said: “Apps on our smartphones and tablets have improved our lives immensely – making it easier to bank and shop online and stay connected with friends. But no app should put our money and data at risk. That’s why the government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age.”
Share this page
CONTRIBUTIONS FROM READERS
Please login to post a comment or register for a free account.
Parliamentary committee laments pace of progress so far in changing rules
In the first of a series of exclusive interviews, the head of government’s ‘Digital HQ’ talks to PublicTechnology about the Central Digital and Data Office’s work to unlock £8bn...
Five-year contract will cover all incoming and outgoing messages and ambition to operate in ‘similar ways to leading private sector companies’
Ministerial announcement follows initial examinations of Home Office and business department earlier this year
Related Sponsored Articles
The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...