How have app developers been bypassing app store security?


COVID-19 App Developers Discover Loophole in App Store Regulations

Given the challenges the world is facing due to the COVID-19 pandemic, app developers have been quick to create digital solutions to help people manage their health and, potentially, slow the spread of COVID-19. But they have also been equally fast in spotting a loophole in app store security, in order to get their apps to market.

Apple’s App Store requires a COVID-19 app to have been developed in partnership with the NHS, or requires documentation from the NHS showing that they have authorised the distribution of the app’s content. The Google Play Store has also put similar requirements in place for any app claiming to be COVID-19 related.

To avoid these restrictions, app developers have spotted that, by entering their app under the category of ‘COVO 19’, they can bypass app store regulations needed in order to appear under ‘COVID 19’.

But should we be concerned by this move? As an independent assessor of health and care apps, ORCHA has reviewed 17 of the COVID-19 apps available on the Apple App Store and the Google Play Store. Cumulatively, these apps have been downloaded over 1,580,000 times on Google Play alone.

The outcome of our reviews has revealed that, yes, we should be concerned about the quality of COVID-19 apps, as they are of very mixed quality. It also revealed that the steps taken by app stores have failed, not just because developers found a work around, but because one NHS app didn’t list under COVID-19, and the fact that those apps that do not meet the stores’ criteria actually achieve a higher ORCHA Score than the apps that do.

Almost 60% of all COVID-19 apps reviewed scored below ORCHA’s quality threshold. Whilst some apps performed particularly well, many apps hovered just above or below the cut-off score, and some apps achieved dangerously low scores. The few apps that managed to enter app stores using the ‘COVO 19’ loophole achieved an average score of 71.6%. This is around ten percentage points higher than the average score achieved by all COVID-19 apps reviewed by ORCHA.

Looking at why apps achieved these scores, the strongest results were seen in User Experience, with the average score in this review domain being 76%. This is good to see, as, for an app to be used by all, it must be easy to use.

Data Privacy is where the biggest weaknesses lay. The average score for COVID-19 apps in this review domain is 55%. This is of concern and requires action, as, if we are asking people to use an app, they also need to have a very clear understanding of how secure their data is, so that they can make an informed choice as to when to use the app and what data to share.

It is to be expected that, due to the unprecedented nature of COVID-19, Clinical Assurance scores might not be as high as non-COVID apps that we have reviewed; the average score here was 57%.

The challenge remains, therefore, of helping consumers to understand which apps are potentially unsafe to use, and ensuring that consumers are armed with the full facts about the strengths and weakness of an app before it is downloaded.