英國網站介紹

# 英國網站介紹 ## 文章目的這篇報告來自Department for Digital, Culture, Media & Sport’s (**數位文化傳媒和體育部**),主要調查與應用程序和應用程序商店相關的網路安全和隱私問題,並提供建議以增進app商店的安全性(如:google play 、appstore)。 * google play * 三星的 Galaxy Store、華為的 AppGallery * 第三方商店(ex:Aptoide、F-Droid、GetJar) * App store ## 1.Android官方應用程式商店 * google play Google Play Store allows users to obtain privacy-related information by getting a list of the permissions that an app requires ![](https://i.imgur.com/A7lxnUl.png) ## 2.ios ## APP Store ● “The data is not used for tracking purposes, meaning the data is not linked with Third-Party Data for advertising or advertising measurement purposes, or shared with a data broker. ● The data is not used for Third-Party Advertising, your Advertising or Marketing purposes, or for Other Purposes, as those terms are defined in the Tracking section. ● Collection of the data occurs only in infrequent cases that are not part of your app’s primary functionality, and which are optional for the user. ● The data is provided by the user in your app’s interface, it is clear to the user what data is collected, the user’s name or account name is prominently displayed in the submission form alongside the other data elements being submitted, and the user affirmatively chooses to provide the data for collection each time.” ![](https://i.imgur.com/iwLo81x.png) 平均而言，50% 的應用程序會在 24 小時內完成審核，超過 90% 的應用程序會在 48 小時內完成審核。Apple 網站聲稱每週審查 100,000 個應用程序，其中 40% 被拒絕，主要原因是小錯誤，其次是隱私問題 ## 第三方商店 ### Apotide 使用了一個名為 Aptoide Sentinel 的惡意軟件掃描平台，通過此平台的應用程序可以使用受信任的應用程序認證和隨附的訊息來確認它已被掃描 ![](https://i.imgur.com/T7QDrR0.png) In this case, potential users are presented with an indication of the number of permissions the app requires and can also obtain an associated list of exactly what they are ![](https://i.imgur.com/qAhWEHb.png) ### 華為點進Permission 發現甚麼都沒有 ![](https://i.imgur.com/VhEgE4e.png) * AppGallery四層威脅檢測 “專業的安全檢測系統，具備惡意行為檢測、隱私檢查、安全漏洞掃描等功能；人工實名安全校驗，真人、真機、真環境認證，保障APP安全。” * Safety Detect 工具包 ● SysIntegrity - Monitors the integrity of the app’s running environment (e.g. whether the device has been rooted[footnote 63]) ● URLCheck - Determines the threat type of a specific URL. ● AppsCheck - Obtains a list of malicious apps. ● UserDetect - Checks whether your app is interacting with a fake user (unavailable in Chinese mainland) ● WifiDetect: Checks whether the Wi-Fi to be connected is secure (only available in Chinese mainland) ## 英國政府措施 NCSC(**英國國家網路安全中心**)認為保護用戶免受惡意和不安全應用程序侵害並確保開發人員改進其做法的最有效方法是通過干預應用程序商店,是英國政府耗資 26 億英鎊的國家網絡戰略的一部分。 **英國政府希望做到**: * 優先考慮安全（和隱私），從而減少惡意應用程序的威脅。 * 應用程序的用戶清楚地傳達和訪問安全和隱私資訊。 * 任何改變應用程序生態系統的未來法規都應該了解對網路安全的影響。 * 在應用程序中發現漏洞後，很容易報告並迅速解決，以最大限度地降低用戶面臨的風險。 **應用程式商店行為準則**: 1.確保只有符合安全和隱私最佳實踐的合法應用才能進入應用商店 2.實施漏洞披露流程 3.保持應用程式更新以保護用戶 4.以可訪問的方式向用戶提供重要的安全和隱私資訊 5.企業應用程式商店應在提供時得到保護 6.向開發人員推廣安全和隱私最佳實踐 ## 測試規範 1. The OWASP Mobile App Security Requirements 1. ioXt alliance ## 參考資料 1. https://www.gov.uk/government/consultations/app-security-and-privacy-interventions/app-security-and-privacy-interventions#proposed-interventions 1. https://www.gov.uk/government/consultations/app-security-and-privacy-interventions/literature-review-on-security-and-privacy-policies-in-apps-and-app-stores#the-user-perspective 1. https://www.ncsc.gov.uk/ National Cyber Strategy 2022 1. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1053023/national-cyber-strategy-amend.pdf