UK Government publishes code of practice for app store operators and app developers

On 9 December 2022, the UK Government published a code of practice for organisations or persons involved in the development and operation of apps, app stores, and app platforms. The code – which follows the UK Government's consultation earlier this year on enhanced security and privacy requirements for firms running app stores and developers making apps – aims to protect and promote the UK digital economy by improving cyber resilience across the economy and technological security.

Scope

The code applies to persons and organisations responsible for:

• Operating app stores (app store operators).
• Creating or maintaining apps (app developers).
• Producing the operating system, default functionality and the interface “that enables third parties to implement additional functionality, such as through apps” (platform developers). 

The code does not apply to business-to-business application programming interface (API) providers, as the UK Government deems it within the developers' responsibility to understand what API codes/services they use in their apps.

The scope of the code's applicable responsibilities varies, depending on the role of the relevant stakeholder as indicated below. The government has also stated a possible intention to expand the code to further cover software development kit (SDK) providers in the future, as part of the code's biennial review process.

Responsibilities of app store operators

The majority of the code’s responsibilities apply to app store operators, which are required to ensure only apps that meet the code's requirements are allowed on the app store. In particular, app store operators are required:

• To set out the code’s requirements in a freely accessible area of the app store for developers: implement a vetting process prior to app submissions or updates.
• Provide an overview of the security checks for apps and updates in a publicly accessible location.
• Implement an app reporting system to flag malicious apps (i.e. apps that aim to illegally take user data, money, or control of their device, outside of the understood purpose of the app, or apps that make a user or device undertake illegal activity) or fraudulent copies of legitimate apps

Upon verifying that an app is malicious, app store operators must make the app unavailable on the app store as soon as possible and, in any event, within in 48 hours. They must also notify the relevant app developer that their app has been made unavailable, and review other apps that have been produced by the same developer. The code also requires app store operators to consider working with independent parties to assess app security and privacy.

The code also recognises the use of private app stores, which are app stores curated by organisations for their employees, and requires app store operators which provide such private platforms to ensure the platforms are protected from malicious actors who may use the mechanism for creating enterprise app stores as a mechanism to distribute malicious apps or as a backdoor into their customer’s organisation.

Shared responsibilities between stakeholders

App store operators also share certain overarching responsibilities with app developers, with distinct roles for each stakeholder as follows:

App store operators and app developers:

• Vulnerability disclosure process: App store operators and app developers are required to implement a vulnerability disclosure process for app stores and apps respectively. App store operators are additionally required to check each app it has made available on its store for the presence of such a process, and to remove apps if vulnerabilities have been identified but have not been acknowledged by app developers, within 30 days from the date of identification.
• Security and privacy information: App developers are required to provide information regarding the storage, sharing and processing of user's data, permissions an app may request (i.e. to a user's microphone, contact list, etc.) and the justification for such permissions. App store operators are required to display such information for all apps in their app store, and to notify users when an app has been removed from the app store, along with instructions on how to remove such apps from their devices within 30 days.
• Personal data breaches: Upon becoming aware of a personal data breach in an app, app store operators and app developers are required to inform other stakeholders, such as app developers, app store operators, and library/SDK developers. App developers are primarily responsible for assessing the impact of the breach and for complying with notification requirements under the UK GDPR, and app store operators should consider whether to make an affected app unavailable to users.

The code also flags key requirements of the UK GDPR and Data Protection Act 2018 applicable to app store operators and app developers, such as controller and processor responsibilities, security requirements, data protection by design and default, personal data breach responsibilities, and transparency requirements.

App developers and platform developers:

App developers and platform developers share a responsibility to ensure that apps adhere to baseline security and privacy requirements, including through:

• The use of industry standard encryption.
• Non-bundling of an app's optional functionalities with its primary functions.
• Complying with security and privacy by design and default requirements as set out in UK data protection law.
• Implementing processes and mechanisms to uninstall the app, update and monitor the app for vulnerabilities, and for users to exercise rights of erasure.
• Enabling app store operators to view and cross-check the permissions and privileges requested by the app.

General responsibilities of all stakeholders

The code introduces a general responsibility on app store operators, app developers and platform developers to ensure apps up to date. App developers and platform developers are required to provide updates to:

• Fix security vulnerabilities.
• Reflect updates from third party libraries or SDKs, if components from such third parties or SDKs are incorporated in the relevant apps. App store operators are required to contact app developers and platform developers every two years for updates, and to remove the app from the app store if no responses are received within 30 days.

The code also provides a channel for all stakeholders to provide information or evidence that indicates that an organisation or individual has poor app security and/or privacy practices in place to the UK data protection regulator for a potential investigation.

Next steps and practical takeaways for organisations

The code is voluntary. Although non-compliance with the code is not a violation of UK data protection law in and of itself, the code provides an opportunity for organisations to differentiate themselves by publicly affirming that they comply with the code.

For now, organisations should first assess whether they can be classified as an app store operator, app developer and/or a platform developer, in order to evaluate the full range of applicable responsibilities under the code. App store operators, apart from being responsible for most of the obligations under the code, will also be subject to additional oversight as the UK Government has stated that it will initially focus on app store operators for their adherence to the code, and may be requested to attend meetings and provide written reports to the UK Government with regards to their compliance with the code in 2023.