DCMS launches consultation on intervention into app security and privacy

Published on 28 July 2022

The question

Will a new voluntary Code of Practice encourage better practices amongst app developers and operators to tackle cybercrime?

The key takeaway

The Department for Digital, Culture, Media & Sports (DCMS) has launched an open consultation on the government’s intervention plans concerning the improvement of security and privacy measures relating to apps and app stores. The consultation will influence UK government policy and will shape guidelines within a proposed voluntary Code of Practice aimed at promoting best practice within the app industry.

The background

Between December 2020 and March 2022, as part of the UK’s National Cyber Strategy, the government conducted a review of the app store ecosystem which found that malicious apps and rudimentary development were the primary areas of concern. This was supported by a report published by the National Cyber Security Centre (NCSC) which identified malware as the most prominent threat to app stores, in particular the risks of users’ sensitive data potentially leading them to fall victim to cybercrime.

The review found that some app developers are not following best practice when engineering apps and that app store operators are not effectively collaborating with developers – in particular, there is not enough direction on app development requirements and many developers not being given the rationale for the rejection of their app. 

The development

On 4 May 2022, the DCMS launched an open consultation directed at the tech industry. The consultation seeks to consolidate the government’s intervention plans to tackle issues relating to the security and privacy concerns with respect to apps and app stores. The overarching aim of the intervention is to promote safety amongst internet users and ensure their data is protected. 

The App Security and Privacy Interventions Consultation Paper outlines the government’s proposed policy interventions. This includes a voluntary Code of Practice for App Store Operators and Developers that seeks to emphasise obligations which operators and developers have under Article 25 UK GDPR. The Code will apply to various stakeholders in the app industry with a view to providing clear guidelines for best practice whilst allowing for some flexibility over how compliance is ensured within each area. Despite the Code being voluntary, the government will encourage adherence to principles by offering incentives. 

Some of the guidelines in the proposed Code include:

  • the implementation of robust vetting processes when considering the approval of app submissions and the removal of malicious apps
  • the creation of a vulnerability disclosure process to ensure flaws are found and fixed quickly
  • provisions for regular app updates to tackle threats to security
  • accessible display of security and privacy information to promote user awareness, including information on why an app needs access to a user’s contacts and location, and
  • measures for better liaison between app stores and developers to ensure security and privacy best practices are well communicated.

Why is this important?

It is clear the government is taking its duty to protect UK citizens from cybercrime very seriously. One of the key areas seems to be encouraging operators to provide developers with constructive feedback processes that will eventually spur on app development that properly protects the user.

This is why app developers are considered a key stakeholder in the consultation. The DCMS has stated that the results of the consultation will influence UK government policy. Depending on the feedback received, the government may look to publish the Code of Practice later in the year, whilst simultaneously taking measures on other interventions outlined in the Paper. 

The consultation closes on 29 June 2022.

Any practical tips?

This consultation could become a watershed moment in the future direction of government intervention into app development. Both developers and platforms alike should consider actively engaging with the government through the feedback loop this process provides.

Stay connected and subscribe to our latest insights and views 

Subscribe Here