NEW DELHI :
The government plans to set up a rating or certification agency for apps, akin to the Bureau of Indian Standards for electronics and Food Safety and Standards Authority of India for packaged food products, according to a report in the Financial Express.
The decision comes in the absence of any platform where users can verify whether an app is safe and how it stores, processes and shares user data.
An app certifying agency is an interesting, ambitious and largely impractical idea, said Prasanto K Roy, a technology and policy consultant, adding, that “there is indeed a need to audit safety and privacy issues with apps, especially those from government (such as the NaMo app, which had data privacy issues). But there are easier ways around – such as capturing feedback of white-hat hackers or others reporting issues."
But building a certification system, along the lines of BIS and FSSAI, can be tricky for software and apps as they have multiple versions unlike a smartphone or other consumer products. The apps are frequently updated over the air and so a certified version may not completely reflect its true nature.
Also, enforcing the rating system on developers or even the app stores can be disruptive to the entire app ecosystem.
“Mandatory approval would be a deal beaker—likely breaking down the app development ecosystem. Optional approval begs the question as to why app developers would choose to go for it," Roy said.
However, this may work in case of financial or other apps that take sensitive information. Having an optional approval backed by a campaign to adopt certified apps like BIS/ISI ratings will inspire confidence, he added.
Google and Apple have got an elaborate vetting process for their respective stores, yet harmful apps have managed to slip through in different ways. A case in point is the Cam Scanner app, a PDF creator app that turned malicious after an update. This goes on to show that identifying apps is a continuous process. Assigning a rating cannot be a one-time affair and can lead to more damage than good.
Also, a version of app on Play Store may not be the same as on a third party Android store which are more flexible in their vetting process. These third party stores are very popular among Android users. When TikTok was temporarily removed form Play Store in 2019 after a court order, people started downloading it from the third party stores.
Roy points out, app stores don’t go into a wide-ranging security or privacy audit, which often involves server-end issues (for instance with the NaMo app).
“It's very important to have something like this for apps as users don't still know if the permissions, data and other things an app asks for are genuinely required. Google and Apple will see only if any rules set by them are violated. But there is a lot that is done within that as well. For instance, asking permission to control something that has nothing to do with the app functionality," said Faisal Kawoosa, chief analyst and founder of TechARC, a market research firm.
Details on how exactly the ratings system will work, whether it will be mandatory or optional are not known yet, but, according to news reports, labs are being set up to initiate the process.