Mobile App Security and Privacy Guideline

Departments may need to adopt or develop mobile applications (aka mobile apps) to meet University needs. If the mobile app is not designed with privacy or security in mind, users downloading it may have their mobile personal data in jeopardy. If the mobile app is developed for accessing confidential data of HKUST administrative systems, those data will also be at risk. Therefore, it is important that mobile app owners or sponsors adopt best practices to secure their mobile apps by following the guidelines defined below. Guidelines for protecting personal data and privacy provided by PCPD should also be observed and followed.

Mobile app owners or sponsors should refer to the HKUST Mobile App Policy that governs all mobile apps owned by HKUST.

1. Scope

Mobile applications owned by HKUST should follow the guidelines and comply with the requirements stated in this document.

2. Roles and Responsibilities

The owners of mobile apps published under HKUST are responsible to ensure the compliance of relevant University policies throughout the lifecycle of their mobile apps. They may nominate administrative and technical contact persons to assist the development, daily operations and the compliance of requirements in different stages of their mobile apps. Cybersecurity Coordinators of the departments owning the mobile apps may also assist in the communication and coordination between ITSC and the mobile app owners.

3. Getting started

3.1 Registration of Mobile Apps in CITARS

Mobile apps are required to be registered in the Critical IT Asset Registration System (CITARS) by Cybersecurity Coordinators (CSC) of the departments owning the mobile apps.

During registration, the mobile app owner is required to nominate the administrative and technical contact persons for the mobile app. The nominated contact persons will assist the app owner or sponsor in the on-going updates and regular compliance checks of the mobile app throughout the lifecycle of the mobile app. The CSC also assists in the communication and coordination between ITSC and the owners, sponsors and the nominated contact persons of the mobile apps.

3.2 Minimum Security Standard

Mobile apps should follow the minimum security standard for application systems for areas which applied

Minimum Security Standard for Application Systems

3.3 Mobile App Development Guidelines by ISO

ISO provides APIs for mobile apps to access data of HKUST enterprise systems . The following guidelines about security must be strictly followed.

Personal data must be handled properly as required by HK Personal Data Privacy Ordinance.
Follow HKUST Data Privacy Policy.
Keep API calls with sensitive data safe
Call directly from mobile clients (instead of going through a third-party server like Amazon, etc and then redirect).
Minimizing storing of sensitive data.
Data stored must be encrypted in a security zone if necessary.
Don’t send out to third-party servers like public Cloud Service Providers.
Safeguard data of user’s devices
Declare why each device’s permission is needed and how they will be used.

ISO publishes the following guideline on Mobile App Development as below. Mobile app developers are strongly recommended to review it during the mobile app design phase.

Guidelines for HKUST Mobile App Development Project

3.4 User Authentication

To facilitate personalized functions and contents of mobile apps, the University IT infrastructure supports user authentication with the following standards

Central Authentication System (CAS)
OpenID Connect (OIDC)
Open Authentication (OAuth2)

For cybersecurity reasons, only authorized mobile apps are eligible to utilize authentication infrastructure of the University to identify users.

Besides leveraging the University’s user authentication infrastructure, mobile apps can effectively verify a user’s identity by email authentication. Namely, mobile apps can send verification emails to the email identity claimed by a user. The validity of such verification emails is usually within a short period of time and this is a simple method that is commonly practised.

3.5 Application Programming Interfaces (APIs) with HKUST Data

To facilitate and encourage the use of API on campus, the University IT infrastructure includes two essential components for this purpose:

HKUST API Gateway

The existing HKUST systems that expose the APIs are protected by channelling all accesses to APIs through the HKUST API Gateway. The Gateway will control access to APIs according to pre-defined access frequency, intensity, etc. and prevent overloading.

HKUST API Portal

System owners who decide to expose data and functions, protected or public, through APIs can illustrate in a standardized way what the APIs do and how they can be accessed by publishing such information in the HKUST API Portal. The Portal serves as a one-stop shop of available APIs on campus.

More information about the Gateway and Portal can be found from the following webpage
https://itsc.hkust.edu.hk/services/it-infrastructure/api-gateway-api-portal

3.6 Privacy & Compliance Check

Owners or sponsors of mobile apps must complete the Checklist of Best Practice for Mobile App Development. (Extracted from Part D Table 2 of the Best Practice Guide for Mobile App Development by PCPD) with the purpose of assessing the privacy impact to users. If the mobile app involves personal data, the Personal Data Privacy Impact Assessment (PIA) form (refer to the Privacy Impact Assessment by PCPD) must also be completed. Completed document(s) should be submitted to mobileapps@ust.hk for review before the mobile application is published.

For high-risk mobile apps, it needs to undergo a more thorough compliance check for assessing the compliance with our cybersecurity standards and privacy requirements by an external security consultant. The compliance check may include data privacy review, security vulnerability scanning and application source code review. All critical and high severity issues should be fixed before the apps can be published.

When mobile apps are updated extensively, the documents, Checklist of Best Practice for Mobile App Development and Personal Data Privacy Impact Assessment (PIA) form (if involving personal data) are required to be updated and submitted before the mobile apps are re-published. For high-risk apps, if programming logics are changed during updates, compliance and security assessment by an external security consultant is also required.

All mobile apps are required to complete regular usage reviews and compliance checks every 2 years.

3.7 HKUST Mobile App Catalog

ITSC is managing the posting of HKUST mobile apps to the iOS App Store and Android Google Play. HKUST-Official Apps will be published using the identity of the University after passing the compliance check and complete the necessary steps as indicated in this document.

ITSC has also prepared a HKUST Mobile App Catalog to facilitate the promotion of mobile applications for HKUST users. Mobile apps owned by HKUST after the registration in CITARS, will appear in the online HKUST Mobile App Catalog.

3.8 Suggested Tasks Involved in the Lifecycle of Mobile Applications

The owner or sponsor of the mobile app should play a crucial role to ensure the compliance requirements are fulfilled and quality is maintained in the entire lifespan of the mobile app. The administrative and technical contact persons, who are nominated by the mobile app owners or sponsors, would assist in taking care of the on-going updates and compliance checks throughout the lifecycle of the mobile app. Mobile apps are published to online stores when the compliance check is passed and all identified and critical issues are fixed.

ITSC will regularly review of the usage of the mobile applications with the mobile app owner, sponsors or nominated contact persons with the assistance from their Cybersecurity Coordinators. Mobile app usage data may include data from online app stores (i.e. App Analytics data from iOS App Store and Key Performance Indexes from Google Play Store) and usage of infrastructure services (e.g. CAS and API).

Owners may review the usage of their mobile apps to decide if they should be removed from the stores to reduce the maintenance cost. If the mobile apps are no longer useful, owners or sponsors of the mobile apps should contact ITSC to remove them from online stores. Those unused apps should also be unregistered in CITARS.

A typical lifecycle of a mobile app and the related tasks are summarized below.

Figure 1 - Lifecycle of Mobile Applications

Development Stage

Consolidate requirement and design the app
Follow the guideline stated in this document for development and customization
Start documentation
Request for infrastructure services (e.g. Central Authentication, API accesses, and etc.)
Conduct testing

Production Stage

Nominate the administrative and technical contacts
Register the app in CITARS by CSC
Complete risk classification for the mobile app
Complete Privacy Impact Assessment form if involving personal data
Complete Checklist of Best Practice for Mobile App Development
For high-risk apps, complete compliance check by external security consultant
Publish to online store when compliance check is passed and all critical issues identified are fixed

Maintenance Stage

Keep the mobile app updated by applying regular fixes and security patches.
Update "Checklist of Best Practice for Mobile App Development" (and Privacy Impact Assessment form if involving personal data) when the programming logic in the mobile app is changed
For high-risk mobile apps, complete compliance checks and reviews by an external security consultant
Review usage reports (usage of mobile app and central services) with ITSC
Update documentation

Archive Stage

Remove the mobile app from online store
Unregister the mobile app from CITARS by CSC

4. Summary of Mobile App Compliance and Governance

	Mobile App Categories
	HKUST Official	HKUST Administrative	HKUST Learning	HKUST Community
Description	Mobile apps representing the University to show UST members and the public the latest news and activities of the University	Mobile apps developed to cater for the needs of UST members, usually involving sensitive personal and confidential data.	Mobile apps designed specifically for learning and course-related activities	Mobile apps built by university members or the public to demonstrate innovative ideas and interests related to the University
Compliance & Governance	HKUST Mobile App Policy Mobile App Security & Privacy Guideline Minimum security standards for Servers and Applications Mobile App Development Guidelines by ISO PCPD checklist of Mobile App Development Best Practice PCPD Personal Data Privacy Impact Assessment (PIA) (if personal data is involved) Lifecycle Management Registration in CITARS Regular review of app usage data Archiving of mobile apps Penetration tests and security scanning (for high-risk apps) For apps that are built with native codes – penetration tests by external security consultants are required before publishing and after each extensive update in the codes. For apps that are using view-wrapper technologies (e.g., Apache Cordova) - the supporting web applications are required to go through security scanning before publishing and after each extensive update.		For mobile apps published under HKUST, the same compliance and governance requirements for HKUST Official and HKUST Administrative apps are enforced.

5. Useful Resources and References

5.1 HKUST Mobile Application Policy

https://itsc.ust.hk/it-policies-guidelines/hkust-mobile-app-policy

5.2 HKUST Branding and Website Guidelines

For enquiry, please contact us at mobileapps@ust.hk .