New app store code of practice aims to strengthen ecosystem cyber security
The UK Government has announced plans for a “world first” code of practice to strengthen security protections across the app market.
The new voluntary code aims to better protect users from malicious apps available on app stores such as Google Play and the App Store.
The new measures include requiring app developers to introduce processes that enable security experts to report software vulnerabilities and ensure that privacy information is more readily available.
In addition, the code will see the creation of a more “robust and transparent” vetting process for apps, require developers to keep apps up-to-date, and allow users to use applications even if they choose to disable certain functionalities, such as microphone access or location tracking.
As part of the move, the government said it will work closely with developers and operators to implement the code over a nine-month period. This will include collaboration with organisations including Apple, Google, Amazon, Huawei, Microsoft, Sony and Samsung.
Cyber minister Julia Lopez said the new policy aims to enhance trust in app ecosystems and improve safety.
“We’ve already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks we rely on,” she said. “Today, we are taking steps to get app stores and developers to keep customers even safer in the online world.”
National strategy
The new voluntary rules form part of a national cyber strategy to protect and support the UK’s digital technology sector and strengthen national cyber resilience.
The UK’s National Cyber Security Centre (NCSC) has backed the move as a positive step to creating a more transparent and secure app ecosystem for UK consumers and businesses.
“Our devices and the apps we rely on are increasingly essential to everyday life, and it’s important that developers and app store operators take steps to protect users,” said Paul Maddinson, director of national resilience and strategy at the NCSC.
“By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps,” he added.
Business applications
The proliferation of malicious software on app stores has raised concerns for both consumers and business users in recent months. Research from Malwarebytes in November found that the Google Play store, for example, featured apps which infected devices with malware and malicious pop-up ads.
In total, the study found that just four malicious apps were downloaded over a million times by Android users.
This issue hasn’t gone unnoticed by operators either. Earlier this year, Android announced new policies for Play Store which aimed to mitigate security risks and force developers to update older apps.
For larger businesses, operating within a monitored and regulated applications environment provides a degree of security to mitigate threats and allow the use of safe, authorised apps.
However, small businesses and start-ups increasingly rely on a range of open source applications to support operations; from managing aspects of their business to boosting productivity and communications.
Michael White, technical director and principal architect at the Synopsys Software Integrity Group told IT Pro that the new code of practice could address lingering security concerns around the use of open source software by small businesses.
“This new code of practice promotes a sensible baseline and can be achieved using a variety of automated approaches and off-the-shelf tools to help developers achieve compliance in a non-intrusive way,” he explained.
“What should not be overlooked is the importance of transparency in the software supply chain. This includes exchange of Software Bill of Material (SBOM) information which may allow both app developers as well as app store operators to understand when an application component vulnerability exists, and alert app developers to the fact that a security review or upgrade may be needed.
“A good example of the need for SBOM transparency was highlighted by the widely-known Log4J vulnerability last year, however this was by no means an isolated occurrence: newly disclosed security vulnerabilities for open source software components are entered into public vulnerability databases every single day, many of which are of lower impact but some are occasionally quite severe.”
Ⓒ Future Publishing
Subscribers 0
Fans 0
Followers 0
Followers