Mobile App Security and Privacy Guideline

Departments may need to adopt or develop mobile applications (aka mobile apps) to meet University needs. If the mobile app is not designed with privacy or security in mind, users downloading it may have their mobile personal data in jeopardy.  If the mobile app is developed for accessing confidential data of HKUST administrative systems,  those data will also be at risk.  Therefore, it is important that mobile app owners or sponsors adopt best practices to secure the mobile app by following the guideline defined below.  Guidelines provided by PCPD for protecting personal data and privacy should also be observed and followed.

Mobile app owners or sponsors should refer to the HKUST Mobile App Policy for the compliance requirements of different categories of mobile apps.  

1. Scope

As indicated in the HKUST Mobile App Policy, Mobile applications classified as HKUST-Official Apps or HKUST-Sponsored Third-Party Apps (collectively referred as the mobile apps below) are required to follow the guideline stated in this document.


2. Roles and Responsibilities

The owners or sponsors of mobile apps are responsible to ensure the compliance of relevant University policies throughout the lifecycle of the mobile app.  They may nominate administrative and technical contact persons to assist the development, daily operations and the compliance of requirements in different stages of the mobile app.  Cybersecurity Coordinators of the departments owning the mobile apps also assist in the communication and coordination between ITSC and the owners, sponsors and the nominated contact persons of the mobile apps.

Please refer to the HKUST Mobile App Policy for more information.


3. Getting started

3.1 Registration of Mobile Apps in CITARS

Mobile apps are required to be registered in the Critical IT Asset Registration System (CITARS) by Cybersecurity Coordinators (CSC) of the departments owning the mobile apps. 

During registration, the owner or sponsor unit of the mobile app is required to nominate the administrative and technical contact persons for the mobile app.   The nominated contact persons will assist the app owner or sponsor in the on-going updates and regular compliance checks of the mobile app throughout the lifecycle of the mobile app.  The CSC also assists in the communication and coordination between ITSC and the owners, sponsors and the nominated contact persons of the mobile apps.

3.2 Minimum Security Standard

Mobile apps should follow the minimum security standard for application systems for areas which applied


3.3  Mobile App Development Guidelines by ISO 

ISO provides APIs for mobile apps to access data of HKUST enterprise systems . The following guidelines about security must be strictly followed.

  • Personal data must be handled properly as required by HK Personal Data Privacy Ordinance.
  • Follow HKUST Data Privacy Policy.
  • Keep API calls with sensitive data safe
  • Call directly from mobile clients (instead of going through a third-party server like Amazon, etc and then redirect).
  • Minimizing storing of sensitive data.
  • Data stored must be encrypted in a security zone if necessary.
  • Don’t send out to third-party servers like public Cloud Service Providers.
  • Safeguard data of user’s devices
  • Declare why each device’s permission is needed and how they will be used.

ISO publishes a guideline on Mobile App Development as below. Mobile app developers are strongly recommended to review it during the  mobile app design phase.


3.4  User Authentication

To facilitate personalized functions and contents of mobile apps, the University IT infrastructure supports user authentication with the following standards

  • Central Authentication System (CAS)
  • OpenID Connect (OIDC)
  • Open Authentication (OAuth2) 

For cybersecurity reasons, only HKUST-Official and HKUST-Sponsored Third Party Apps are eligible to utilize authentication infrastructure of the University to identify users. 

Besides leveraging the University’s user authentication infrastructure, mobile apps can effectively verify a user’s identity by email authentication. Namely, mobile apps can send verification emails to the email identity claimed by a user. The validity of such verification emails is usually within a short period of time and this is a simple method that is commonly practised. 


3.5  Application Programming Interfaces (APIs) with HKUST Data

To facilitate and encourage the use of API on campus, the University IT infrastructure includes two essential components for this purpose:


The existing HKUST systems that expose the APIs are protected by channelling all accesses to APIs through the HKUST API Gateway. The Gateway will control access to APIs according to pre-defined access frequency, intensity, etc. and prevent overloading.


System owners who decide to expose data and functions, protected or public, through APIs can illustrate in a standardized way what the APIs do and how they can be accessed by publishing such information in the HKUST API Portal. The Portal serves as a one-stop shop of available APIs on campus.


More information about the Gateway and Portal can be found from the following webpage


3.6  Privacy & Compliance Check

Owners or sponsors of mobile apps must complete the Checklist of Best Practice for Mobile App Development. (Extracted from Part D Table 2 of the Best Practice Guide for Mobile App Development by PCPD) with the purpose of assessing the privacy impact to users. 

If the mobile app involves personal data, the Personal Data Privacy Impact Assessment (PIA) form (refer to the Privacy Impact Assessment by PCPD) must also be completed. 

Please send the document(s) to us at after you have filled in all the required information.

Both documents should also be updated and submitted again when the handling of personal data, sensitive data or actions, which are mentioned in the PCPD Mobile Application Development Checklist, is changed.

For high-risk mobile apps, it needs to undergo a more thorough compliance check for assessing the compliance with our cybersecurity standards and privacy requirements by an external security consultant.  The compliance check may include data privacy review, security vulnerability scanning and application source code review.  All critical and high severity issues should be fixed before the apps can be published to the online stores.  After the mobile apps are published, bi-yearly compliance checks are also required, and all critical issues identified should be fixed.



3.7  HKUST Mobile App Catalog

ITSC is managing the posting of HKUST mobile apps to the iOS App Store and Android Google Play.  HKUST-Official Apps will be published using the identity of the University after passing the compliance check and complete the necessary steps as indicated in this document.

ITSC has also prepared a HKUST Mobile App Catalog to facilitate the promotion of mobile applications for HKUST users.  HKUST-Official and HKUST-Sponsored Third-Party mobile applications after the registration in CITARS, will appear in the online HKUST Mobile App Catalog.  HKUST-Community Apps may be shown on the HKUST Mobile App Catalog if requested, if the information about the owner or developer’s contacts can be provided. 

3.8  Suggested Tasks Involved in the Lifecycle of Mobile Applications

The owner or sponsor of the mobile app should play a crucial role to ensure the compliance requirements are fulfilled and quality is maintained in the entire lifespan of the mobile app. The administrative and technical contact persons, who are nominated by the mobile app owners or sponsors, would assist in taking care of the on-going updates and compliance checks throughout the lifecycle of the mobile app.  Mobile apps are published to online stores when the compliance check is passed and all identified and critical issues are fixed.

ITSC will regularly review of the usage of the mobile applications with the mobile app owner, sponsors or nominated contact persons with the assistance from their Cybersecurity Coordinators.  Mobile app usage data may include data from online app stores (i.e. App Analytics data from iOS App Store and Key Performance Indexes from Google Play Store) and usage of infrastructure services (e.g. CAS and API).

Owners may review the usage of their mobile apps to decide if they should be removed from the stores to reduce the maintenance cost.  If the mobile apps are no longer useful, owners or sponsors of the mobile apps should contact ITSC to remove them from online stores.  Those unused apps should also be unregistered in CITARS.

A typical lifecycle of a mobile app and the related tasks are summarized below. 


Figure 1 - Lifecycle of Mobile Applications


Development Stage

  • Consolidate requirement and design the app
  • Follow the guideline stated in this document for development and customization
  • Start documentation
  • Request for infrastructure services (e.g. Central Authentication, API accesses, and etc.)
  • Conduct testings

Production Stage

  • Nominate the administrative and technical contacts
  • Register the app in CITARS by CSC
  • Complete risk classification for the mobile app
  • Complete compliance check for high-risk apps
  • Complete privacy impact assessment if involving personal data
  • Publish to online store when compliance check is passed and all critical issues identified are fixed

Maintenance Stage

  • Keep the mobile app updated by applying regular fixes and security patches.
  • Complete regular compliance check for high-risk mobile apps
  • Review usage reports (usage of mobile app and central services) with ITSC
  • Update documentation

Archive Stage

  • Remove the mobile app from online store
  • Unregister the mobile app from CITARS by CSC

Please refer to the HKUST Mobile App Policy for more information.


4. Useful Resources and References

4.1 HKUST Mobile Application Policy

4.2 HKUST Branding and Website Guidelines



For enquiry, please contact us at .