The UK government is considering new proposals to make downloading apps from app stores more secure.
It follows a new report by the National Cyber Security Centre (NCSC) that highlights the risk of fraudulent apps containing malicious malware created by cyber criminals or poorly developed apps which can be compromised by hackers exploiting weaknesses in software.
The UK app market is worth £18.6 billion. But there are few rules governing the security of the technology or the online stores where they are sold.
The government is now calling for views from the tech industry on enhanced security and privacy requirements for firms running app stores and developers making apps.
Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements. This would be the first such measure in the world.
The code follows a government review of app stores launched in December 2020 which found some developers are not following best practice in developing apps, while well-known app stores do not share clear security requirements with developers.
The new proposed code would require stores to have a vulnerability reporting process for each app so flaws can be found and fixed quicker. They would need to share more security and privacy information in an accessible way including why an app needs access to users’ contacts and location.
The eight-week call for views will run until June 29 2022. App developers, app store operators and security and privacy experts are encouraged to provide feedback to inform the government’s work in this area.
If you liked this content…
Following the call for views, the government will review the feedback provided and will publish a response later this year.
Systemic cybersecurity issues
Last year some Android phone users downloaded apps which contained the Triada and Escobar malware on various third-party app stores. This resulted in cyber criminals remotely taking control of people’s phones and stealing their data and money by signing them up for premium subscription services without the individual’s knowledge.
NCSC technical director Ian Levy said: “Our devices and the apps that make them useful are increasingly essential to people and businesses and app stores have a responsibility to protect users and maintain their trust.
“Our threat report shows there is more for app stores to do, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause harm.
“I support the proposed Code of Practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”
The app stores call for views is part of the government’s £2.6 billion National Cyber Strategy to the UK is more secure online and is alongside other UK safeguards for people using internet-connected devices.
A new product security law making its way through parliament will place new requirements on manufacturers, importers and distributors of consumer tech. They will have to ban easy-to-guess default passwords in devices and make manufacturers transparent about the length of time products will receive security updates alongside providing a vulnerability disclosure policy.
