UK government puts pressure on IT sector to clean up app security

The government is calling on the IT sector to address security weaknesses in the app stores used by millions to add functionality to their smartphones, tablets and other internet-connected devices.

While apps provide a convenient way for consumers to download new functionality to their devices, research from the National Cyber Security Centre (NCSC) has highlighted the risk of using fraudulent apps that contain malicious malware created by cyber criminals, or poorly developed apps that can be compromised by hackers exploiting weaknesses in software.

The UK app market is worth £18.6bn, but there are few rules governing the security of the technology or the online stores where apps are sold. Attacks can occur through official app stores that are supposed to vet applications and third-party app stores, and where apps are downloaded directly to devices via non-official backdoors or by jail-breaking device security measures.

“Devices and the apps that make them useful are increasingly essential to people and businesses, and app stores have a responsibility to protect users and maintain their trust,” said NCSC technical director Ian Levy. “Our threat report shows there is more for app stores to do, with cyber criminals currently using weaknesses in app stores on all types of connected devices to cause harm.”

While the majority of apps are for mobile devices such as smartphones and tablets, the NCSC’s Threat report on application store discussed a number of studies covering app and app store security weakness on internet of things (IoT) devices and PC and games console platforms.

One piece of research highlighted came from security researchers at North Carolina State University and Ruhr-University Bochumwhich in 2021, who found that of the 90,194 Alexa skills they analysed, 358 skills were capable of requesting information that should be protected by a permission application programming interface (API).

While it is not known whether this has been used for malicious purposes, the NCSC report noted that the lack of a permission API could be a potential attack vector, with the ability to publish a skill under any developer name, bypassing permission APIs and making back-end code changes after approval to trigger dormant intentions.

The Samsung app store for its smart TVs is another example cited by the NCSC. In 2017, a security researcher disclosed that he had discovered 40 zero-day vulnerabilities in Tizen, an operating system developed by Samsung for use in smart TVs, smartwatches and mobile devices. The most critical of the vulnerabilities affected Tizen Store, the app store used on devices running Tizen. This vulnerability allowed for remote code execution, through which the researcher was able to push malicious code to his Samsung TV, the NCSC warned.

The UK government has launched a call for views from the tech industry on enhanced security and privacy requirements for app stores and app developers. Under new proposals, app stores for smartphones, games consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements. The proposed code would require stores to have a vulnerability reporting process for each app so flaws could be found and fixed quicker. They would need to share more security and privacy information in an accessible way, including why an app needs access to a user’s contacts and location. 

“Apps on our smartphones and tablets have improved our lives immensely, making it easier to bank and shop online and stay connected with friends,” said cyber security minister Julia Lopez. “But no app should put our money and data at risk. That’s why the government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age.”