New app store Code of Practice

In December last year, the Department for Digital, Culture, Media and Sport (DCMS) published a new ‘first of its kind’ code of practice aimed at protecting app users. While the code is voluntary, the Government is expecting app store operators and app developers to sign up to it, and the National Cyber Security Centre (NCSC) has noted that following the Code may be a ‘valuable differentiator’ in a competitive app market.

The Code’s release follows a consultation published by DCMS and the NCSC in May last year, and forms part of a broader programme of work under the UK’s National Cyber Strategy. The consultation itself was prompted by a government review of the ‘app store ecosystem’, which included the publication of an NCSC app store ‘threat report’. The review concluded that ‘malicious and poorly developed apps continue to be accessible to users’ and that developers were not following best practice.

The Code’s principles

The Code itself is comprised of eight principles, each said to be ‘important in helping to protect users’ security and privacy’.

The principles include:

• Baseline requirements. Developers’ apps are expected to meet a set of fundamental security and privacy requirements, such as: (i) ensuring that an app’s primary function works even where its optional functionality and permissions (such as providing location data or microphone access) are disabled; (ii) not requesting permissions unless that is functionally required by the app; and (iii) containing a mechanism for requesting the deletion of personal data. Developers are also expected to have a process in place to monitor any software dependencies their app may have for vulnerabilities. The Code requires that app stores only permit applications that meet the Code’s minimum requirements.
  
  
• Security and privacy information. Developers are required to provide app stores with certain information about each app they develop. This information includes: (i) the jurisdictions in which user data will be processed; (ii) details of those who are to be given access to the data; (iii) the purpose for which that data is being used; and (iv) when the app was last updated. The information must be presented in a clear, accessible manner. Furthermore, developers must detail all permissions an app may request (e.g. access to contacts), with a justification as to why each is needed. This information must be displayed to users before they download an app. App store operators are also subject to information requirements. For example, they must inform users when an app has been removed from their store and provide instructions as to deleting it off devices. 
  
  
• Vulnerabilities. Developers are expected to have a process in place for reporting software weaknesses in their apps. App store operators must also have an equivalent process for disclosing vulnerabilities within their store platform, and will be required to delete apps from their store if a developer fails to acknowledge a credible vulnerability report once contacted by the store operator.
  
  
• Personal data breaches. If an app experiences a security incident, Developers are expected to ‘inform other relevant stakeholders’, including app store operators and library/SDK developers, and to signpost instructions to users for them to protect themselves. Operators are required to consider whether to remove the app in light of the incident.

The remainder of the Code's principles address app operators providing developers with clear feedback when apps are rejected, encouraging users to implement security updates, and providing developers with information on security and privacy best practice.

Enforcement

While the code is voluntary, the government intends to meet with a number of large tech companies to determine how they have started to change their processes, and will also request that such companies submit confidential reports detailing their compliance. This approach of targeting the major app store operators is unsurprising, given that adoption by developers will arguably be driven by whether or not app platforms require them to adhere. That said, DCMS has also said it will be considering whether existing laws could be extended to cover apps, or whether the code should be given legal footing. It will be interesting to see whether the Code also gains traction in other ways - for example, whether compliance will be required by customers in development contracts.