By Ming Tan, Ethan Ng, Keith Detros, Tech for Good Institute
The digital revolution has firmly taken root in the Southeast Asia region, spearheaded by a surge in smartphone adoption. Approximately 100 million of the region’s 460 million internet users have only come online in the last three years, and many of these users are mobile-first or mobile-only. In Indonesia, for instance, fixed broadband penetration stands at 5%, while mobile penetration stands at over 125%.
This smartphone-driven internet adoption has transformed whole industries and changed the way consumers interact with services. With smartphones being the predominant window to the digital universe for millions of users, almost all sectors have sought to develop and tailor offerings for mobile access.
At the heart of this transformation are mobile apps, which provide a self-contained and direct way for developers and businesses to connect with and serve users in a highly controllable and customisable environment, fostering business-to-business, business-to-consumer and consumer-to-consumer interactions. While some of these apps provide online products and services such as video games, content streaming or financial services, many facilitate transactions with both online and offline components. As apps increasingly shape the way we live, work and play, responsibility for safety issues in app-facilitated virtual and real-world interactions are emerging. While app developers naturally play a primary role in ensuring the safety of the services, the role of app stores has also been thrust into the spotlight, given their position as the gatekeepers of the app ecosystem.
Evolving expectations: From Functionality to Dependability
While internet access via mobile phones was already available in the late 1990s, different manufacturers used different proprietary standards to enable wireless communication. This led to the development of the Wireless Application Protocol (WAP) standard in 1997, jointly developed by Ericsson, Motorola, Nokia and Unwired Planet to standardise the way wireless devices could be used for internet access. The WAP and the Wireless Markup Language (WML) that came with it provided a new standard for developers and content providers to design applications and functionalities that would work across a wider spectrum of mobile devices. Simple WAP commercial applications emerged, largely to allow users to customise their wallpapers and ringtones.
Yet the WAP protocol was short lived – connection fees, the inability to render more graphically-intensive operations and the inability to provide consistent user experiences across device types in a time when devices were getting more powerful meant that more compact versions of common operating systems such as Linux and Windows quickly obsoleted WAP.
This change meant that developers could create more sophisticated applications on proprietary platforms that provided them with better tools and support. Developers could now also design apps that were more likely to work, and that were also more appealing and responsive to user needs. Platforms such as Palm OS, Symbian, RIM, iOS and Android sprouted over time, each tailored for different use cases.
This allowed mobile apps to improve in scope and quality quickly, in turn transforming their impact in our lives significantly. From mere novelties allowing us to customise our phones, they now serve as essential tools for daily life. Consequently, the questions surrounding mobile apps have also matured along with their development. Where users might once have asked “Will it work? ” or “Will it work well?”, they now ask “Is it safe?”, “Is it dependable?” and “Can I trust the developers?,” especially with more and more apps handling sensitive data. This has placed greater responsibility on app platforms, especially Apple’s App Store and Google’s Play Store – the two dominant ecosystem players – to ensure safety and dependability for users.
Safety in App Stores
A review of Apple’s and Google’s consumer- and developer-facing policies showed that both Apple and Google had clear and comprehensive policies prohibiting apps that transmit malware, contribute to device or network abuse, or lead to undesirable modifications of settings that may leave devices more exposed to cyber security threats.
These policies were also backed by robust enforcement measures, with both app stores working hard to prevent malicious apps and mitigate potential impacts of cybersecurity vulnerabilities stemming from apps on their platforms. In 2022, Google reported removing over 1.4 million fraudulent and abusive apps, while also preventing another 500,000 apps from unnecessarily accessing sensitive permissions. Similarly, Apple rejected nearly 29,000 app submissions for containing hidden or undocumented features, blocked another 24,000 apps which had the capability to morph into other apps, and rejected another 400,000 apps submissions for privacy violations. Errant developers on both platforms faced sanctions including the termination of their app development rights.
Both app stores also had clear data-related policy provisions seeking to minimise the amount of data collected, thereby mitigating the exposure of sensitive data in case apps are compromised by cyber attacks. In particular, both also made specific provisions relating to the collection and use of child data, even if appropriate consent is obtained.
Depending on App Services
Both app stores had clear guidelines and policies prohibiting developer fraud, such as billing and product fraud. Notably, Google’s developer policy goes a step further by explicitly addressing additional forms of fraudulent activity, such as misrepresentation, impersonation, and social engineering. To this end, both platforms have also rolled out significant and robust back-end protections and policies designed to monitor and detect such fraudulent activities and bad actors – in 2022 alone, Apple and Google disclosed that they had each prevented over US$2 billion in fraudulent and abusive transactions using various combinations of automated and human-led internal safety checks.
Furthermore, developer insolvency also poses a key risk to the dependability of app services, especially to consumers who may have purchased apps and digital products, invested funds into financial service apps, e-wallets and deposit accounts, or who have come to rely on critical services provided by app developers. While these risks are inherent to all products, fintech consumers are especially vulnerable, especially because many providers of such services are relatively new operators in a fast evolving and ever-changing space.
Neither Apple nor Google have specific provisions addressing the issue of developer insolvency or app closure, though they offer limited protection for consumers through discretionary refund policies. These discretionary refund policies also limit the maximum cost recoverable to the sum paid for the app in question and are typically permitted only if the consumer has recently purchased the app. In most cases, in-app purchases and deposits are not covered, as app stores themselves are not parties involved in such transactions.
Trusting App Services
Another emerging issue is how to build trust in apps offering services for which there is emerging regulation or licensing requirements. Given the ease of marketing apps to consumers internationally, developers may now intentionally or unintentionally target traditionally safeguarded and unreachable international prospects. Out of reach by local regulatory authorities, unlicensed apps have increasingly posed safety concerns for consumers. This is especially the case in sensitive sectors such as financial services, gambling, healthcare and telemedicine, as well as transportation and ride-hailing. Examples of unlicensed apps that have been taken down in Southeast Asia include money lending apps in the Philippines, Thailand and Vietnam, ride-hailing apps in Philippines and Malaysia, and gambling apps in Vietnam, often following takedown requests by regulatory authorities.
Both Apple and Google have implemented measures to address compliance in sectors such as financial services and gambling, where developers in these areas are required to submit proof of compliance with local regulations. The platforms have also implemented measures requiring clear disclosure of medical functionalities and limitations while also prohibiting the unauthorised sale or purchase of prescription drugs. Furthermore, the Apple App Store has explicit requirements for drug dosage calculators while Google Play Store stipulates data sharing provisions for their Health Connect data. These measures help foster trust and confidence in the app ecosystem, creating a safer and more accountable environment for all.
Yet there remains work to be done. Evolving regulations in healthcare and transportation remain less aligned and are relatively underdeveloped, which correspondingly mean a lack of clear, unified policies addressing such apps offering such services. In the absence of legislation, consumers are left in a caveat emptor position, while potentially also creating confusion for developers who may wish to innovate in these areas.
Safety in an evolving digital ecosystem
The evolving role of app stores reflects the changing regulatory landscape, as policymakers grapple with both emerging technologies and new business models. As gateways to app services, app stores play an increasingly important role in implementing emerging regulations and ensuring user safety. In the content space, companies are already partnering with trusted flaggers such as social service organisations to identify harmful content.
On the other hand, app stores are not the only avenue in which users may access apps. Sideloading and jailbreaking enable users to bypass official distribution platforms, with operating systems taking different approaches to supporting the app developer ecosystem. Google Play Protect, for example, allows Android users to scan their devices for harmful apps, irrespective of source. App developers themselves also have built in security features into their apps to detect other risky apps on users’ phones, as in the case of OCBC bank in Singapore.
Technical fixes aside, Apple and Google also support ongoing digital literacy through their app stores, complementing extensive efforts by government agencies across Southeast Asia.
App store operators have an important role to play in earning and maintaining public trust not only in their products and services, but also in building confidence in the digital ecosystem as part of the whole-of-society approach needed to protect user safety in the face of the rapidly evolving threat landscape.