On December 9, 2022, The UK government published a response to the Call for Views and the Code of Practice for App Store Operators and App Developers. This voluntary Code of Practice sets out guidelines on what app store operators and developers should be doing to protect the privacy and security of consumers and businesses.
These guidelines include 8 key principles to guide best practice as a standard for app development, app store security, practice, and compliance.
The current market standard for mobile and web application security focuses on scanning the following for security and privacy vulnerabilities:
- Native code
- Embedded third-party open-source software development kits (SDKs)
- Embedded third-party commercial SDKs
As of today, there is no market-ready mobile application security solution that can analyze data collected by the SDK – including application programming interfaces (APIs) and Android frameworks – and categorize the data by type.
How can OneTrust help you comply?
OneTrust has developed a new Android SDK scanner specifically for compliance with Google Play Data safety, which also supports the new UK government Code of Practice, ensuring compliance with the eight key principles as outlined below:
Principle 1: Ensuring your app meets the code’s security and privacy baseline requirements for the Google Play store
You can now easily identify the user, device and network data that your Android app third-party libraries collect and share, checking whether the data in transit is encrypted, as well as the types of permissions the app is using.
All of this can be done without the need to cross reference the app’s data collection and sharing behaviors with third-party SDKs and API documentation, saving you considerable time and money.
Principle 2: Ensuring your app complies with the baseline security and privacy requirements
Mobile app developers can now verify and trust whether the third-party SDK documentation is accurate and is doing what it says when it comes to data collection by third-party code. Not all third-party SDK’s and API’s have documentation, and most are not up to date or accurate, but using the new SDK scanner, you will learn just how accurate or inaccurate these documents are. This will also help with completing and reviewing third-party Data protection impact assessments (DPIA).
Another feature of the scanner includes the ability to detect whether the permission is being used by first and or third-party code. This will help you determine if an app is unknowingly giving more data access to a third-party SDK.
Principle 3: Implementing a vulnerability disclosure process
The new SDK scanner now supports extensive coverage of open-source Android libraries and frameworks used by your app. This feature is useful as you will now be able to quickly review your apps libraries and frameworks (and versions) against the National Vulnerability Database (NVD) for vulnerabilities.
Principle 4: Keeping apps updated to protect users
As with principle three, developers will not only be able to disclose vulnerabilities but also update their apps when vulnerabilities are discovered. The new SDK scanner will help developers identify and update their apps third-party libraries and remove deprecated or non-supported (i.e., vendor has been acquired or doesn’t exist anymore) SDKs and APIs.
Principle 5: Providing important security and privacy information to users
A primary feature of the new SDK scanner is the ability to export a CSV file. This is the only file format supported by the Google Play Console. This feature will significantly reduce the manual analysis work of identifying data collection types (and by SDK), which is used to promote user privacy and security awareness on Google Play in the Data Safety section.
Principle 6: Providing security and privacy guidance to app developers
App developers need to be informed about what data can be collected by SDKs, APIs and frameworks built into their apps. SDK and API documents might not be up to date or inaccurate in what data they collect, share and why. The new SDK scanner provides a privacy baseline for the data types collected by each SDK, API, and framework, prior to submission to the Google Play Console.
Principle 7: Supporting clear and transparent feedback to app developers
When submitting your new app or update to an existing app on your Google Play Console, you will be able to use the new SDK scanner to help avoid your app being subjected to an expanded review, which may result in review times of up to seven days or longer in exceptional cases because for example you were unable to report some SDK data collection types.
Principle 8: Ensuring steps are taken when there is a personal data breach
Mobile apps aggregate information, in particular SDKs can collude with each other on data collection and other telemetry data on a device. Some of this information will be transmitted off device encrypted or unencrypted with or without the user’s knowledge, even if they had signed a consent notice. The new SDK scanner can help you scan the use of open-source third-party libraries in the app and compare against the National Vulnerability Database (NVD) for code vulnerabilities (see principle three).
How do we go beyond compliance and help a company’s ROI in the long run?
Manually checking an app to find out what data third-party SDKs are collecting and why is a time-consuming and expensive task. It can take anything from one to five days of specialist resources (depending on the size of the app and the number of calls made by an SDK) to decompile the app, accurately detect every SDK’s data collection behavior, and then categorize them.
With OneTrust’s SDK scanner, these tasks can be completed in a matter of minutes, giving your team time to focus on how to deal with vulnerabilities or non-compliance, decreasing lead time, and improving solution efficiency. Not all mobile SDK scanners are developed equally. Years of research and development by leading mobile app security researchers and engineers have led to the development of a highly accurate and efficient OneTrust Android SDK scanner.
This scanner is very different from what is currently on the market. It not only detects SDKs, APIs, and Android frameworks but also categorizes the data these libraries collect into 14 data categories and 38 data types. This approach to identifying data collection practices will help speed up your Google Play Data safety compliance as well as comply with the UK government’s Code of Practice.
Get in touch to learn more about our new SDK scanner as several new features such as App Comparison are coming in 2023. Request a demo here.
