While the proliferation of mobile apps in HKUST indicates we are a vibrant and innovative community, there are also legitimate concerns regarding the security, data privacy, data integrity, ongoing support, etc. of these mobile apps. Adequate governance needs to be in place in order for the University to progress to the next level in terms of leveraging mobile apps wisely to achieve our missions.
This Policy aims at outlining the most important aspects for the University community to note and comply in order to derive the most benefits from mobile apps. It should be noted that this Policy intends to encourage, rather than stifle, more innovative uses of mobile apps by addressing perceived concerns.
Since mobile apps need to be made available (aka published) on the mobile app stores for actual adoption by end users, this Policy focuses on mobile apps intended for the two most common mobile app stores nowadays: namely the iOS App Store and the Android Google Play.
Based on the ownership and purpose, we identify a subset of mobile apps that can be effectively governed by this Policy and classify them into the following categories:
HKUST-Official Apps refer to those University-owned mobile apps that are developed according to the requirement specified by a department, office, or unit in HKUST. The app may be developed by in-house manpower, students, or outsourced implementation teams. In any case, the owner unit has complete control over the functions of the mobile app.
Examples: m.HKUST (MTPC), iLearn (ITSC), HKUST Staff (ISO), HKUST Info Day (URAO), PathAdvisor (ITSC), etc.
HKUST-Sponsored Third-Party Apps refer to those apps developed and owned by third-party organizations, individuals, students, alumni, etc., and promoted or introduced to the University through a sponsor department, office or unit of the University. While the sponsor unit should have liaised with the app owner such that it can be used by the University community, it may or may not have control over the functions of the mobile app.
Examples: USThing (SBM), Duo (ITSC), Canvas (CEI), etc.
HKUST-Community Apps refer to those apps developed or owned by members of the University community and intended for use by the community although without a prior agreement with the University.
Examples: USTransit (SOCIF Ltd.), etc.
Mobile apps, like any software, are prone to contain software errors, vulnerabilities or inaccurate data. The owner or sponsor of a mobile app plays an important role as the focal point of the ongoing support of the app, and is responsible for ensuring the app does comply with the relevant University policies in the entire lifespan of the mobile app.
Mobile apps of the University needs to follow the Mobile App Security and Privacy Guideline and is required to complete compliance checks regularly to ensure their security standards are met until the apps are retired.
Based on the preceding classification of mobile apps, HKUST-Official and HKUST-Sponsored Third-Party mobile apps should be registered under Critical IT Asset Registration System (CITARS) by their departmental Cybersecurity Coordinators. During registration, the owner or sponsor unit is required to nominate the administrative contact as well as technical contact persons in charge of the business and technical issues pertaining to the mobile app in the whole lifecycle.
For easy reference by end users, mobile apps registered in CITARS will appear in the online HKUST Mobile App Catalog. HKUST-Community Apps may be shown on the HKUST Mobile App Catalog if requested, on the condition that the information about the owner or developer’s contacts can be provided.
A typical mobile app would consist of the following stages in its lifecycle. The major tasks involved in different stages are summarized below.
Figure 1 - Lifecycle of Mobile Applications
The owners or sponsors (together with the nominated administrative contact and technical contact persons) of the mobile apps are responsible for ensuring their apps are compliant with the University Policies during the entire lifecycle.
1. Development – Tasks involved: Requirements gathering, application design, development and testing
Mobile app owners are in charge of the requirements and design of the mobile app. They may also appoint a technical team for the development of HKUST-Official apps. Mobile apps should follow the guideline stated in Mobile App Security and Privacy Guideline. Testing is required to ensure the quality and to prepare the app for production or adoption.
2. Production – Tasks involved: Compliance check before publishing, registration in CITARS and submission to online stores
After a mobile app is developed and before enters the Production stage, the mobile app owners and sponsors need to register the mobile apps by their departmental Cybersecurity Coordinators (CSC) in the Critical IT Asset Registration System (CITARS). The mobile app needs to pass a compliance check before it is published to online stores.
For high-risk mobile apps, the compliance check will be performed by an external security consultant and may include basic usability testing, data privacy review, security vulnerability scanning and application source code review. All critical and high severity issues should be fixed before the mobile app can be published.
Owners of HKUST-Community Apps may request Compliance Check. Such requests will be entertained at a lower priority given resources are available.
3. Maintenance – Tasks involved: Regular compliance checks, on-going maintenance and updates
After the Production stage, the mobile app will enter the Maintenance stage where on-going maintenance and updates are required to ensure the quality of the app. Regular compliance checks will also be performed.
ITSC will review the usage of the mobile apps and central services with the nominated business and technical contact persons through the coordination of their departmental Cybersecurity Coordinators (CSC). If the mobile app usage is low, owners of mobile apps could then decide if they need to decommission the apps to reduce maintenance cost. For high-risk mobile apps, compliance checks will be performed bi-yearly. All identified security vulnerabilities have to be resolved.
4. Archive – Tasks involved: application decommission, backup and data removal
When the mobile app is no longer needed, it is recommended to remove the app from online stores to reduce maintenance cost. App stores sometimes will enforce mobile apps to comply with new requirements, and force to put mobile apps offline if they fail to comply.
To facilitate the use of mobile apps on campus, the University provides a fundamental set of IT infrastructure and protection for mobile apps. Compliance to the proper use of these services and procedures is important to ensure the mobile app can be deployed securely, effectively and conveniently.
All HKUST Official Apps and HKUST-Sponsored Third-Party Apps must follow the Mobile App Security and Privacy Guideline. Mobile apps need to pass a compliance check before publishing to online stores. The usage of the mobile apps will be regularly reviewed. Regular compliance checks are also required after the apps are published. All critical issues identified will need to be resolved.
Mobile apps nowadays often provide personalized functions and contents for different individuals. This usually requires the ability to identify individual users. The University IT infrastructure is designed to facilitate these needs.
For cybersecurity reasons, only HKUST-Official and HKUST-Sponsored Third Party Apps are eligible to utilize authentication infrastructure of the University to identify users.
It is common that a mobile app needs to access the data or functions provided by some existing systems in HKUST. For popular mobile apps, the resulting accesses to existing systems can be voluminous and may cause unexpected issues to the normal operation of existing systems.
To prevent adverse effects on or even disruptions to existing systems, the mobile app owner should first request consent from the respective system owners on such accesses, and follow the agreed approach to access the data or functions.
In order to ensure this process is manageable and effective, the University advocates the use of the Application Programming Interface (API) technology, conforming to common standards for mobile apps to access data and functions from other systems in an orderly and secure fashion.
Only HKUST-Official Apps will be published using the publisher identity of the University, after passing the compliance check. The owners of HKUST-Official Apps may contact ITSC and provide the necessary details for submission to both iOS App Store and Android Google Play. They may also contact ITSC to remove the apps from the stores if the apps are no longer useful.
The following shows the summary of the characteristics for all three type of mobile apps categories.
e.g. m.HKUST (MTPC), iLearn (ITSC), HKUST Staff (ISO), HKUST Info Day (URAO), PathAdvisor (ITSC), etc.
e.g. USThing (SBM), Duo (ITSC), Canvas (CEI), etc.
7. Useful Resources and References
7.1 Mobile App Security and Privacy Guideline
7.2 HKUST Mobile Application Development Guidelines
For enquiry, please contact us at firstname.lastname@example.org .