Stricter consumer protections against malicious apps

  • Proposals include world’s first code of practice to set minimum security and privacy requirements for app store operators and developers

  • New report released today reveals malicious apps downloaded by hundreds of thousands of users are putting users’ data and money at risk

  • People downloading apps on smartphones, game consoles and TVs will be better protected from hackers under new government plans to boost security standards.

Millions of people use apps every day to shop, bank and video call and the UK app market is worth £18.6bn. But few rules govern the security of the technology or the online stores where it is sold.

A new report on app store threats released today by the National Cyber ​​Security Center (NCSC) shows that people’s data and money are at risk due to rogue apps containing malware created by cybercriminals or poorly developed applications that can be compromised by hackers exploiting software weaknesses.

To provide better consumer protection, government is calling for tech industry input on enhanced security and privacy requirements for companies that operate app stores and developers who build apps .

Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice outlining baseline security and privacy requirements . It would be the first measure of its kind in the world.

Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung.

The proposed code would require stores to have a vulnerability reporting process for each app so flaws can be found and fixed more quickly. They would need to share more security and privacy information in an accessible way, including why an app needs access to users’ contacts and location.

Cybersecurity Minister Julia Lopez said:

Apps on our smartphones and tablets have dramatically improved our lives, making it easier to bank and shop online and keep in touch with friends.

But no app should put our money and data at risk. That’s why the government is taking action to ensure that app stores and developers raise their security standards and better protect UK consumers in the digital age.

The NCSC report found that all types of app stores face similar cyber threats, and the biggest problem is malware: corrupted software that can steal data and money and mislead users into error.

For example, last year, some Android phone users downloaded apps containing Triada and Escobar malware from various third-party app stores. This has led to cyber criminals taking remote control of people’s phones and stealing their data and money by signing them up to premium subscription services without the individual’s knowledge.

The NCSC report concludes that the government’s proposed code of practice will have a positive impact and reduce the risk of malicious apps reaching consumers on different devices.

NCSC Technical Director Ian Levy said:

Our devices and the apps that make them useful are increasingly essential to people and businesses, and app stores have a responsibility to protect users and maintain their trust.

Our threat report shows that app stores need to do more, with cybercriminals currently using weaknesses in app stores on all types of connected devices to cause damage.

I support the proposed code of practice, which demonstrates the UK’s continued intention to address systemic cybersecurity issues.

The code follows a government review of app stores launched in December 2020 which found that some developers are not following app development best practices, while well-known app stores are not sharing apps. ‘clear security requirements with developers.

The appeal for app store views is part of the government’s £2.6bn national cybersecurity strategy to ensure UK citizens are safer online and comes on top of other UK safeguards stringent for people using internet-connected devices.

It is also part of the government’s work leading international efforts to raise awareness of the need for app security and privacy requirements to protect users.

There are already strong data protection laws in the UK to protect people’s data and these are enforced by the Information Commissioner’s Office.

A new Product Safety Act pending in Parliament will impose new requirements on manufacturers, importers and distributors of consumer technology. They will have to ban easy-to-guess default passwords in devices and make manufacturers transparent about how long products will receive security updates, while providing a vulnerability disclosure policy.

People should also follow the National Cyber ​​Security Center orientation to help secure smart devices.


Notes to editors:

The eight-week call for comments will run until June 29, 2022. App developers, app store operators, and security and privacy experts are encouraged to provide feedback to inform the government’s work in this domain.

Following the call for comments, we will review the comments provided and publish a response later this year. The review complements the government’s forthcoming pro-competition digital markets regime, including the Competition Authority’s market and market study on mobile ecosystems, which will create a more dynamic and innovative digital economy across the UK.

Lance B. Holton