UK government ponders tougher rules for dodgy apps

The UK DCMS is waving a potential new ‘code of practice’ in front of tech firms to get their opinions on whether they should be held accountable to it.

The idea seems to be that app stores would be asked to commit to a new code of practice, which  establishes a set of security and privacy requirements for apps on their platforms. It would only be applicable in the UK, and the Department for
Digital, Culture, Media & Sport is keen to point out it would be the first measure of its type in the world.

In practice app stores would be required to set up a ‘vulnerability reporting process’ for each app so flaws, such as backdoor malware vulnerabilities, can be found and fixed. They would also need to share more security and privacy information ‘in an accessible way’ including why an app might need access to users’ contacts and location.

The government has apparently been reviewing app stores since December 2020, and has concluded that some developers are not following ‘best practice in developing apps’ (presumably something the government is acutely tuned into based on the resounding success of its covid ‘test and trace’ app) while app stores ‘do not share clear security requirements with developers.’

This is all part of the government’s £2.6 billion National Cyber Strategy, says the DCMS, and to hammer the point home it cites recent cases of Triada and Escobar malware attacks as examples of why new government measures apparently need to be applied.

The eight-week ‘call for views’ will run until 29 June 2022, and is open for developers, app store operators and security and privacy experts to ‘provide feedback to inform the government’s work in this area.’

“Apps on our smartphones and tablets have improved our lives immensely – making it easier to bank and shop online and stay connected with friends,” said Cyber Security Minister Julia Lopez. “But no app should put our money and data at risk. That’s why the Government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age.”

NCSC Technical Director Ian Levy added: “Our devices and the apps that make them useful are increasingly essential to people and businesses and app stores have a responsibility to protect users and maintain their trust. Our threat report shows there is more for app stores to do, with cyber criminals currently using weaknesses in app stores on all types of connected devices to cause harm. I support the proposed Code of Practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”

The EU has certainly been throwing fits weight around recently with regards to enforcing rules on big tech, but it has a lot more collective weight than the UK . What is being suggested, while broadly sensible on the surface, sounds like it would involve be some pretty big changes for an app store like Google Play, where there are something like 3 million apps available, all for one country. Perhaps some of this will be pointed out to the DCMS by the tech firms they are seeking council with.

Certainly no one thinks its good that malware exists and that there’s no need to take measures to combat it, but here are questions that should be asked whenever the government gets involved in something like this. Do the politicians fully understand the technological concepts they are talking about? Do they comprehend the integrated globalised nature of the app stores they seek to impose new rules on as if they were a borough council? Are they fully tuned in to the state of play in the forever-war between security firms and hackers, and thus able to bring some insight to the table as to what could be done better?

If you answered no to all the above, you might wince rather than applaud the thought of the Government piling clumsily into the ring waving around a set of new laws and barking about codes of practice.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.