Some developers are ignoring best practices around mobile app security, leaving consumers at risk of cyberattack, the UK’s Digital Minister has said. Julia Lopez’s comments come as app stores and developers are being asked to sign up to a new voluntary code of conduct launched by the government to protect users from malware hidden in unsafe or malicious applications.
The Department for Digital, Culture, Media and Sport (DCMS) has launched what it calls a “world-leading code of practice” for mobile application stores which it says will help stop hackers stealing vital data from smartphones.
In a report, also published today following a consultation on app security, Lopez said a review conducted by DCMS found “malicious and poorly developed apps continue to be accessible to users” of the most popular app stores – Apple’s App Store and Google Play. “Therefore it is evident that some developers are not following best practice when creating apps,” she added.
DCMS releases app store code of conduct
To combat this risk, the new DCMS code of conduct will require apps to have a process for security experts to report software vulnerabilities to developers, and ensure security updates are highlighted properly to users. Security and privacy information will also need to be clearly provided.
Lopez added the launch of the code of practice was designed to dovetail with other measures the government has taken to boost the UK’s cybersecurity, which have included new security measures for connected devices and networks and amendments to NIS regulations, which protect critical national infrastructure.
“We’ve already strengthened our laws to boost security in consumers’ digital devices and the telecoms networks they rely on,” she said. “Today we are taking steps to get app stores and developers to keep customers even safer in the online world”.
Paul Maddinson, director of national resilience and strategy, at the National Cyber Security Centre, said: “Our devices and the apps we rely on are increasingly essential to everyday life, and it’s important that developers and store operators take steps to protect users.
“By signing up to this code of practice, developers and operators can demonstrate how they are delivering security as standard, as well as protect users from malicious actors and vulnerable apps.”
The cybersecurity risks posed by mobile apps
Mobile apps are an increasingly popular way to deliver malware, and Tech Monitor recently reported on how the SharkBot banking trojan malware was being spread via fake updates to antivirus and cleaner apps.
There has been a 500% jump in mobile malware delivery attempts in Europe this year according to research from security company Proofpoint. Common techniques used by criminals include smishing, where victims receive phishing attempts via text, as well as malicious or unsafe application downloads.
Google Play is far more susceptible to infiltration by cybercriminals than the Apple App Store, the report says, because it takes a more open approach than its rival. The platform is currently open to multiple smaller app stores, which allows users to easily sideload apps from anywhere on the internet.