People downloading apps to smartphones, games consoles and TVs will be better protected from hackers under new government plans to boost security standards.
A new report on the threats in app stores published today by the National Cyber Security Centre (NCSC) has shown that people’s data and money are at risk because of fraudulent apps containing malicious malware created by cyber criminals or poorly developed apps.
The report found all types of app stores face similar cyber threats and the most prominent problem is malware: corrupted software which can steal data and money and mislead users.
For example, last year some Android phone users downloaded apps which contained the Triada and Escobar malware on various third-party app stores. This resulted in cyber criminals remotely taking control of people’s phones and stealing their data and money by signing them up for premium subscription services without the individual’s knowledge.
To provide better protection for consumers, the government is launching a call for views from the tech industry on enhanced security and privacy requirements for firms running app stores and developers making apps.
Under new proposals, app stores run by the likes of Apple and Google could be asked to commit to a new code of practice setting out baseline security and privacy requirements in a world first.
The proposed code would also require stores to have a vulnerability reporting process for each app so flaws can be found and fixed quicker.
They would need to share more security and privacy information in an accessible way including why an app needs access to users’ contacts and location.
“Our threat report shows there is more for app stores to do, with cyber criminals currently using weaknesses in app stores on all types of connected devices to cause harm”, NCSC Technical Director Ian Levy said.
The code comes after the government review of app stores launched in December 2020 which found some developers are not following best practice in developing apps, while well-known app stores do not share clear security requirements with developers.