UK Government Seeks Feedback on Malicious Apps Malaise

"The government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age.”

The nation’s tech industry is being asked for its views on measures to make the app market safer and more secure for consumers.

The UK government is open to feedback on this pernicious theme. It notes that millions of people use apps every day to shop, bank and make video calls and the country’s app market is worth £18.6 billion.

Cyber Security Minister Julia Lopez says: “Apps on our smartphones and tablets have improved our lives immensely – making it easier to bank and shop online and stay connected with friends. But no app should put our money and data at risk. That’s why the government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age.”

The announcement comes with a new report on the threats in app stores published by the National Cyber Security Centre (NCSC). That 12-page report  shows people’s data and money are at risk because of fraudulent apps containing malicious malware created by cyber criminals or poorly developed apps which can be compromised by hackers exploiting weaknesses in software.

Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements. The government says this would be “the first such measure in the world”.

Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung.

The proposed code would require stores to have a vulnerability reporting process for each app so flaws can be found and fixed quicker. They would need to share more security and privacy information in an accessible way including why an app needs access to users’ contacts and location.

There are views already on this announcement from within the tech industry.

Armen Najarian, Chief Identity Officer at Outseer, comments: “Hopefully this call for views will result in new laws being passed, but it’s likely to be a slow process. Until that happens the best defence for consumers is education. There are tell-tale signs of rogue apps, such as poor spelling and grammar or very few user reviews on app stores. For companies, they must deploy brand monitoring, giving them 24/7 scanning capabilities across app stores, social media and URLs, coupled with rapid take down services that can stop rogue apps in their tracks.”

The NCSC report found all types of app stores face similar cyber threats and the most prominent problem is malware.

For example, last year some Android phone users downloaded apps which contained the Triada and Escobar malware on various third-party app stores. This resulted in cyber criminals remotely taking control of people’s phones and stealing their data and money by signing them up for premium subscription services without the individual’s knowledge.

NCSC Technical Director Ian Levy adds: “Our threat report shows there is more for app stores to do, with cyber criminals currently using weaknesses in app stores on all types of connected devices to cause harm. I support the proposed Code of Practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”

The code follows a government review of app stores launched in December 2020 which found some developers are not following best practice in developing apps, while well-known app stores do not share clear security requirements with developers.

This call for views is part of the government’s £2.6 billion National Cyber Strategy to ensure UK citizens are more secure online.

The government points out that there are already data protection laws in the UK to protect people’s data and these are enforced by the Information Commissioner’s Office.

A new product security law making its way through parliament will place new requirements on manufacturers, importers and distributors of consumer tech. They will have to ban easy-to-guess default passwords in devices and make manufacturers transparent about the length of time products will receive security updates alongside providing a vulnerability disclosure policy.

The eight-week call for views will run until 29 June 2022. Feedback can be provided here.

Antony Peyton
Antony Peyton
Antony Peyton is the Editor of eWeek UK. He has 17 years' journalism and writing experience. His career has taken him to China, Japan and the UK - covering tech, fintech and business. Follow on Twitter @TonyFintech.

Popular Articles