HKUST Mobile App Policy

1. Purpose

The mobile application (aka the mobile app) has emerged as a popular means for individuals to communicate, transact and entertain in the modern society. It can be developed by anyone with skills and tools that are not difficult to obtain nowadays. In HKUST, faculty members, staff, students and alumni have been developing or promoting a wide variety of mobile apps for teaching, learning, administration, outreach, campus life, etc.
 
While the proliferation of mobile apps in HKUST indicates we are a vibrant and innovative community, there are also legitimate concerns regarding the security, data privacy, data integrity, ongoing support, etc. of these mobile apps. Adequate governance needs to be in place in order for the University to progress to the next level in terms of leveraging mobile apps wisely to achieve our missions.
 
This Policy aims at outlining the most important aspects for the University community to note and comply in order to derive the most benefits from mobile apps. It should be noted that this Policy intends to encourage, rather than stifle, more innovative uses of mobile apps by addressing perceived concerns. 
 

2. Scope: Categories of Mobile Apps

Since mobile apps need to be made available (aka published) on the mobile app stores for actual adoption by end users, this Policy focuses on mobile apps intended for the two most common mobile app stores nowadays: namely the iOS App Store and the Android Google Play. 

Based on the ownership and purpose, we identify a subset of mobile apps that can be effectively governed by this Policy and classify them into the following categories: 

2.1 HKUST-Official Apps

HKUST-Official Apps refer to those University-owned mobile apps that are developed according to the requirement specified by a department, office, or unit in HKUST. The app may be developed by in-house manpower, students, or outsourced implementation teams. In any case, the owner unit has complete control over the functions of the mobile app. 

Examples: m.HKUST (MTPC), iLearn (ITSC), HKUST Staff (ISO), HKUST Info Day (URAO), PathAdvisor (ITSC), etc. 

2.2 HKUST-Sponsored Third-Party Apps

HKUST-Sponsored Third-Party Apps refer to those apps developed and owned by third-party organizations, individuals, students, alumni, etc., and promoted or introduced to the University through a sponsor department, office or unit of the University. While the sponsor unit should have liaised with the app owner such that it can be used by the University community, it may or may not have control over the functions of the mobile app.

Examples: USThing (SBM), Duo (ITSC), Canvas (CEI), etc. 

2.3. HKUST-Community Apps

HKUST-Community Apps refer to those apps developed or owned by members of the University community and intended for use by the community although without a prior agreement with the University.

Examples: USTransit (SOCIF Ltd.), etc. 

3. Role of App Owners or Sponsor and HKUST Mobile Catalog 

Mobile apps, like any software, are prone to contain software errors, vulnerabilities or inaccurate data. The owner or sponsor of a mobile app plays an important role as the focal point of the ongoing support of the app, and is responsible for ensuring the app does comply with the relevant University policies in the entire lifespan of the mobile app.  

Mobile apps of the University needs to follow the Mobile App Security and Privacy Guideline and is required to complete compliance checks regularly to ensure their security standards are met until the apps are retired.

Based on the preceding classification of mobile apps, HKUST-Official and HKUST-Sponsored Third-Party mobile apps should be registered under Critical IT Asset Registration System (CITARS) by their departmental Cybersecurity Coordinators.  During registration, the owner or sponsor unit is required to nominate the administrative contact as well as technical contact persons in charge of the business and technical issues pertaining to the mobile app in the whole lifecycle.  

For easy reference by end users, mobile apps registered in CITARS will appear in the online HKUST Mobile App Catalog.  HKUST-Community Apps may be shown on the HKUST Mobile App Catalog if requested, on the condition that the information about the owner or developer’s contacts can be provided. 
 

4. Lifecycle of Mobile App 

A typical mobile app would consist of the following stages in its lifecycle.  The major tasks involved in different stages are summarized below.  

 
Figure 1 - Lifecycle of Mobile Applications

The owners or sponsors (together with the nominated administrative contact and technical contact persons) of the mobile apps are responsible for ensuring their apps are compliant with the University Policies during the entire lifecycle.  


1. Development – Tasks involved: Requirements gathering, application design, development and testing 

Mobile app owners are in charge of the requirements and design of the mobile app.  They may also appoint a technical team for the development of HKUST-Official apps.  Mobile apps should follow the guideline stated in Mobile App Security and Privacy Guideline.  Testing is required to ensure the quality and to prepare the app for production or adoption.


2. Production – Tasks involved: Compliance check before publishing, registration in CITARS  and submission to online stores

After a mobile app is developed and before enters the Production stage, the mobile app owners and sponsors need to register the mobile apps by their departmental Cybersecurity Coordinators (CSC) in the Critical IT Asset Registration System (CITARS).   The mobile app needs to pass a compliance check before it is published to online stores.

For high-risk mobile apps, the compliance check will be performed by an external security consultant and may include basic usability testing, data privacy review, security vulnerability scanning and application source code review.  All critical and high severity issues should be fixed before the mobile app can be published.   

Owners of HKUST-Community Apps may request Compliance Check.  Such requests will be entertained at a lower priority given resources are available. 


3. Maintenance – Tasks involved: Regular compliance checks, on-going maintenance and updates 

After the Production stage, the mobile app will enter the Maintenance stage where on-going maintenance and updates are required to ensure the quality of the app.  Regular compliance checks will also be performed.  

ITSC will review the usage of the mobile apps and central services with the nominated business and technical contact persons through the coordination of their departmental Cybersecurity Coordinators (CSC).  If the mobile app usage is low, owners of mobile apps could then decide if they need to decommission the apps to reduce maintenance cost.  For high-risk mobile apps, compliance checks will be performed bi-yearly.  All identified security vulnerabilities have to be resolved.  


4. Archive –  Tasks involved: application decommission, backup and data removal 

When the mobile app is no longer needed, it is recommended to remove the app from online stores to reduce maintenance cost.  App stores sometimes will enforce mobile apps to comply with new requirements, and force to put mobile apps offline if they fail to comply.
 

 

5. Compliance of Mobile Apps

To facilitate the use of mobile apps on campus, the University provides a fundamental set of IT infrastructure and protection for mobile apps. Compliance to the proper use of these services and procedures is important to ensure the mobile app can be deployed securely, effectively and conveniently. 

5.1 Mobile App Security Guideline and Compliance Check

All HKUST Official Apps and HKUST-Sponsored Third-Party Apps must follow the Mobile App Security and Privacy Guideline.  Mobile apps need to pass a compliance check before publishing to online stores.  The usage of the mobile apps will be regularly reviewed.  Regular compliance checks are also required after the apps are published.  All critical issues identified will need to be resolved.

5.2 Authentication

Mobile apps nowadays often provide personalized functions and contents for different individuals. This usually requires the ability to identify individual users. The University IT infrastructure is designed to facilitate these needs.

For cybersecurity reasons, only HKUST-Official and HKUST-Sponsored Third Party Apps are eligible to utilize authentication infrastructure of the University to identify users.  

5.3 Access to HKUST Data and Functions

It is common that a mobile app needs to access the data or functions provided by some existing systems in HKUST. For popular mobile apps, the resulting accesses to existing systems can be voluminous and may cause unexpected issues to the normal operation of existing systems. 

To prevent adverse effects on or even disruptions to existing systems, the mobile app owner should first request consent from the respective system owners on such accesses, and follow the agreed approach to access the data or functions. 

In order to ensure this process is manageable and effective, the University advocates the use of the Application Programming Interface (API) technology, conforming to common standards for mobile apps to access data and functions from other systems in an orderly and secure fashion. 

5.4 App Publishing

Only HKUST-Official Apps will be published using the publisher identity of the University, after passing the compliance check.  The owners of HKUST-Official Apps may contact ITSC and provide the necessary details for submission to both iOS App Store and Android Google Play.  They may also contact ITSC to remove the apps from the stores if the apps are no longer useful.
 

6. Summary

The following shows the summary of the characteristics for all three type of mobile apps categories.

 

HKUST-Official Apps   HKUST-Sponsored
Third-Party Apps
  HKUST-Community Apps
  • University-owned mobile apps
  • Requirements specified by HKUST
  • In-house, students or outsource implementation
  • Owners have complete control of the apps

e.g.  m.HKUST (MTPC), iLearn (ITSC), HKUST Staff (ISO), HKUST Info Day (URAO), PathAdvisor (ITSC), etc.

 

  • Developed and owned by  third-party
  • Introduced to UST through a sponsor department, office or unit
  • Sponsor unit may or may not have control over the app functions

e.g.  USThing (SBM), Duo (ITSC), Canvas (CEI), etc.

 
  • Developed or owned by members of the University community
  • Intended for use by the community
  • No prior agreement with the University


e.g.  USTransit (SOCIF Ltd.), etc.

Checklist
  • Fulfil Mobile App Security Guideline
  • Develop and maintain documentation 
  • Eligible to use authentication infrastructure
  • Access to HKUST public, authenticated and sensitive API
  • Identify administrative and technical contact persons 
  • Register on CITARS
  • Complete compliance checks
  • Publish to HKUST official app stores and mobile app catalog
  Checklist
  • Fulfil Mobile App Security Guideline
  • Develop and maintain documentation 
  • Eligible to use authentication infrastructure
  • Access to HKUST public and authenticated API
  • Identify administrative and technical contact persons 
  • Register on CITARS
  • Complete compliance checks
  • Publish to HKUST mobile app catalog
  Checklist
  • Access to HKUST public API (e.g. USTransit)
  • Publish to HKUST mobile app catalog upon request with identification of technical contact persons

 

 

7. Useful Resources and References 

    7.1 Mobile App Security and Privacy Guideline
    7.2  HKUST Mobile Application Development Guidelines
    7.3  HKUST Branding and Website Guidelines

     

    For enquiry, please contact us at mobileapps@ust.hk .