App security and privacy interventions
Read the full outcome
Detail of outcome
In May 2022, the government launched a public consultation on app security and privacy interventions. The proposals included the introduction of baseline security and privacy requirements for application (“app”) developers and app store operators via a voluntary Code of Practice.
The government received 59 responses. The vast majority of respondents supported all principles within the voluntary Code of Practice and the need for the Code. There was broad support for commencing work to explore how the Code could be put on a regulatory footing in the future. The government has taken on board respondents’ feedback to produce the updated Code and determine our next steps. Details of the replies received to the consultation and the government’s response are contained in the attached document.
For more information, please see:
- the updated Code of Practice for App Store Operators and App Developers
- the press notice
- the written ministerial statement to Parliament
Further information on the government’s work in this area can be found in the app security and privacy document collection.
Original consultation
Consultation description
Apps are increasingly essential to everyday life as they provide users with the ability to access important services using various devices, such as smartphones, game consoles, fitness devices and smart TVs. They can be downloaded through various methods, including from app stores operated by either the official software supplier or manufacturer of a device and those operated by third parties. It’s vital that apps are built to security and privacy best practice to protect the data and privacy of individuals and organisations.
The UK government conducted a review into the app store ecosystem from December 2020 to March 2022. The review found that malicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps. All app stores share a common threat profile with malware contained within apps the most prevalent risk. Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.
This government’s intention is to ensure consumers are protected from online threats by taking forward a robust set of interventions which are proportionate, pro-innovation and future-facing. The review therefore explored various options to address these challenges. The main intervention the government is proposing at this initial stage is a voluntary Code of Practice for all app store operators and developers. This is because we recognise that the most effective current way of protecting users at scale from malicious and insecure apps, and ensuring that developers improve their practices, is through app stores.
Read more in the press notice.
We are holding a call for views on this approach for eight weeks until Wednesday 29 June 2022 to help gather feedback on the proposed interventions, including the draft Code of Practice. Stakeholders are encouraged to provide their views on the proposed interventions, including the content of the proposed Code and whether additional proposals should be taken forward. The government would also welcome views, particularly from developers, on the review and feedback processes they have encountered when creating apps on different app stores. Moreover, we would welcome any data which illustrates the financial and wider impact of implementing the Code of Practice. Participants will have the opportunity to identify themselves when they submit their responses, or be anonymous.
The feedback will inform UK government policy and our next steps. Depending on the feedback received, we may look to publish the Code later in the year, alongside exploring and taking further other interventions outlined in this report.
There are a number of other documents being published to support this call for views:
- A literature review on security and privacy policies in apps and app stores (see document below)
- A National Cyber Security Centre threat report on application stores
- A report by Apadmi on security and privacy in app development across different app stores
This work is part of the government’s £2.6 billion National Cyber Strategy to protect and promote the UK online, and ensure citizens are secure and confident their data is protected.
Documents
Updates to this page
Last updated 9 December 2022 + show all updates
-
The government's response to the call for views has been added.
-
First published.