Tech industry asked for feedback on measures to make the app market safer and more secure

Although millions of people use apps every day to shop, bank and make video calls, and the UK app market is worth £18.6 billion, there are few rules governing the security of the technology itself, or the online stores where the apps are sold.

The National Cyber Security Centre’s new report on the threats in application stores highlights that people’s data and money are at risk because of fraudulent apps with malicious malware created by cyber criminals or badly developed apps with software vulnerabilities that can be easily exploited by hackers. Therefore, to provide better protection for consumers, the government is calling for views from the tech industry on enhanced security and privacy requirements for both firms running app stores and developers making apps.

Under the new proposals, developers and app stores (for smartphones, game consoles, TVs and other smart devices) could be asked to commit to a new Code of Practice which will set out the baseline requirements for security and privacy.  To help ensure that app flaws can be found and fixed faster, the Code of Practice would require stores to have a vulnerability process for each app. They would also need to share security and privacy information in an accessibly way (including why an app needs access to users’ contacts and location).

This Call for Views – which runs until Wednesday 29 June 2022 – is part of the UK Government’s National Cyber Strategy and sits alongside other tough safeguards for the use of internet-connected devices. The intent is for the consultation document to be the beginning of a much more extensive dialogue between government, industry and international partners to ensure users can securely benefit from apps and make informed decisions on the permissions that they grant to apps.

The document sets out the relevant wider government activities that the proposals made feed into and align with, such as the Product Security and Telecommunications Infrastructure Bill, the National Data Strategy, GDPR, the Online Safety Bill and work to address potential imbalances in digital markets; the benefits and risks associated with the app ecosystem; the regulatory landscape and relevant antitrust cases; and the findings of DCMS’s review into app security and privacy.  

More on the proposed interventions

Although potential changes in the regulatory landscape (outlined in the document) are expected or indeed changes to the app ecosystem could happen, there are four key objectives that government wants to achieve for apps:

1. Security (and privacy) is prioritised, thereby reducing the threat from malicious apps.
2. Security and privacy information is clearly communicated and accessible to app users.
3. Any future regulation that changes the app ecosystem should understand the impact of cyber security.
4. Vulnerabilities, when detected in apps, are easily reported and quickly resolved to minimise the risk to users.

Government considered the above objectives alongside the following areas when developing the proposed interventions to determine if they would address the issues: effectiveness and measurability; burden on affected stakeholders; barriers to implementation; consistency with international approaches; and equity and impact (on consumers/competition impact on the market.

The Code of Practice

The main intervention that government is initially proposing is a voluntary Code of Practice which sets out practical steps for all app store operators and developers to protect users. This Code would then provide government with an opportunity to mandate the requirements at some point in the future if the risks from malicious/vulnerable apps can’t be mitigated through stakeholder action, of if the risk and threat landscape evolves such that this is necessary.

Although voluntary, the government would seek to put incentives in place to encourage adherence to the seven principles set out in the Code. Those principles are:

1. Ensure only legitimate apps that meet security and privacy best practice are allowed on the app store.
2. Implement vulnerability disclosure processes.
3. Keep apps update to protect users.
4. Provide important security and privacy information to users in an accessible way.
5. Enterprise app stores shall be secured where provided.
6. Promote security and privacy best practice to developers.
7. Provide upfront and clear feedback to developers by app stores.  

The document also sets out accompanying interventions associated with the Code and the importance of international cooperation in app security so that app store operators are not burdened with having to tail their platforms and practices for many different countries.

You can access the full consultation document here.

techUK will be submitting a response to this Call for Views on behalf of members, so if you would like to provide input to this, please get in touch with Jill Broom via [email protected]

We are hosting a roundtable for members with DCMS on this Call for Views on Thursday 9 June - sign up to attend here!

Dan Patefield

Head of Cyber and National Security, techUK

×

Dan Patefield

Head of Cyber and National Security, techUK

Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.

Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.

Email:

[email protected]

Phone:

020 7331 2165

Jill Broom

Programme Manager, Cyber Security, techUK

×

Jill Broom

Programme Manager, Cyber Security, techUK

Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.

Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments. 

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:

[email protected]

Twitter:

@honeybroom

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/jill-broom-19aa824

Raya Tsolova

Programme Manager, techUK

×

Raya Tsolova

Programme Manager, techUK

Raya Tsolova is a Programme Manager at techUK. 

Prior to joining techUK, Raya worked in Business Development for an expert network firm within the institutional investment space. Before this Raya spent a year in industry working for a tech start-up in London as part of their Growth team which included the formation and development of a 'Let's Talk Tech' podcast and involvement in London Tech Week. 

Raya has a degree in Politics and International Relations (Bsc Hons) from the University of Bath where she focused primarily on national security and counter-terrorism policies, centreing research on female-led terrorism and specific approaches to justice there. 

Outside of work, Raya's interests include baking, spin classes and true-crime Netflix shows! 

Email:

[email protected]

Phone:

07712630603