The Department for Digital, Culture, Media & Sport (DCMS) has outlined proposals for tougher consumer protections against malicious apps. These proposals form part of wider reforms to improve the UK’s cyber resilience such as the National Cyber Strategy and the Online Safety Bill which we have previously summarised.

Motivations for the proposal

The National Cyber Security Centre (NCSC) published a new report highlighting the financial, reputational and privacy-related ramifications of apps compromised by malware and other systematic vulnerabilities.

These vulnerabilities include app stores generally having insufficiently robust vetting processes to detect malicious functionality in apps, creating opportunities for cyber criminals to exploit compromised or fraudulent software. The report also noted that despite all devices sharing the same threat profile, mobile app stores were targeted the most due to the sheer number of users and the amount of data stored on smartphones.

Julia Lopez MP, the Minister of DCMS, commented that in light of increased reliance on apps in everyday life by both individuals and organisations, it is important that the data and privacy of those users is not compromised.

Key changes proposed 

The government is proposing to combat the risks posed to apps and users of such apps by requiring app developers and app store operators to commit to a new code of practice containing security and privacy requirements. This code of practice will comprise the following seven principles, each of which contains further reference to requirements under data protection laws, to require developers and operators to:

  • ensure only legitimate apps that meet security and privacy best practice are allowed on the app store;
  • implement vulnerability disclosure processes;
  • keep apps updated to protect users;
  • provide important security and privacy information to users in an accessible way;
  • enterprise app stores shall be secured where provided;
  • promote security and privacy best practice to developers; and
  • provide upfront and clear feedback to developers by app stores.

Specific proposals outlined within the principles include the introduction of a vetting process for approving app submissions, a reporting system for users to report malicious apps, and mechanisms for detecting and reporting fraudulent apps.  

DCMS has recognised that any proposed reforms to the regulatory landscape will likely be subject to change in the future given how rapidly the digital market is developing. It has set out the following four fundamental objectives for apps in order to “future-proof” its current interventions, regardless of technological developments:

  • security (and privacy) is prioritised, thereby reducing the threat from malicious apps;
  • security and privacy information is clearly communicated and accessible to users of apps;
  • any future regulation that changes the app ecosystem should understand the impact on cyber security; and
  • vulnerabilities, when identified in apps, are easily reported and quickly resolved to minimise the risk to users.

Consequences of implementation  

If the new code of practice is implemented, the government aims to explore the challenges and opportunities of mandating the seven principles through a public consultation with stakeholders. Regulation would initially focus on mobile app stores.

Cooperation with international counterparts will also influence future changes to the UK regulatory landscape as the government works towards building an “international consensus” on app security.

Next steps

The government requested industry views on the topic, and participants were invited to submit their views along with any data illustrating the impact of implementing the new code of practice.

The government is currently reviewing the feedback provided during the call for views, which ended earlier this week, and aims to publish a response later this year.

If you would like to discuss the impact of the proposed reforms in more detail, please contact David Varney or another member of our Data Protection and Cyber Security team.

Written by Pooja Bokhiria