1. Purpose
While the proliferation of mobile apps in HKUST indicates we are a vibrant and innovative community, there are also legitimate concerns regarding the security, data privacy, data integrity, ongoing support, etc. of these mobile apps. Adequate governance needs to be in place in order for the University to progress to the next level in terms of leveraging mobile apps wisely to achieve our missions.
This Policy aims at outlining the most important aspects for the University community to note and comply in order to derive the most benefits from mobile apps. It should be noted that this Policy intends to encourage, rather than stifle, more innovative uses of mobile apps by addressing perceived concerns.
2. Scope, Ownership and Categories of Mobile Apps
Since mobile apps need to be made available (aka published) on the mobile app stores for actual adoption by end users, this Policy focuses on mobile apps intended for the two most common mobile app stores nowadays: namely the iOS App Store and the Android Google Play.
For mobile apps to be published in app stores under HKUST, whether they are developed in-house (by staff or students) or outsourced to external entities, they need to be owned by a department or unit of the University.
Mobile apps, like any software, are prone to contain software errors, vulnerabilities or inaccurate data. The owner of a mobile app plays an important role as the focal point of the ongoing support of the app, and is responsible for ensuring the app does comply with the relevant University policies in the entire lifespan of the mobile app.
Based on their usage and nature, mobile apps are classified into the following categories
| Mobile App Category | Description |
| HKUST Official | Mobile apps representing the University to show UST members and the public the latest news and activities of the University |
| HKUST Administrative | Mobile apps developed to cater for the needs of UST members, usually involving sensitive personal and confidential data. |
| HKUST Learning | Mobile apps designed specifically for learning and course-related activities |
| HKUST Community | Mobile apps built by university members or the public to demonstrate innovative ideas and interests related to the University |
For easy reference by end users, description of mobile apps will include their category information and a link to the HKUST Mobile App Catalog where all HKUST mobile apps are listed.
3. Lifecycle of Mobile App
A typical mobile app would consist of the following stages in its lifecycle. The major tasks involved in different stages are summarized below.
Figure 1 - Lifecycle of Mobile Applications
The owners (together with the nominated administrative contact and technical contact persons) of the mobile apps are responsible for ensuring their apps are compliant with the University Policies during the entire lifecycle.
1. Development – Tasks involved: Requirements gathering, application design, development and testing
Mobile app owners are in charge of the requirements and design of the mobile app. They may also appoint a technical team for the development. Mobile apps should follow the guideline stated in Mobile App Security and Privacy Guideline. Testing is required to ensure the quality and to prepare the app for production or adoption.
2. Production – Tasks involved: Compliance check before publishing, registration in CITARS and submission to online stores
After a mobile app is developed and before entering the Production stage, the mobile app owners and sponsors need to register the mobile apps by their departmental Cybersecurity Coordinators (CSC) in the Critical IT Asset Registration System (CITARS). The mobile app needs to pass a compliance check before it is published to online stores.
For high-risk mobile apps, the compliance check will be performed by an external security consultant and may include basic usability testing, data privacy review, security vulnerability scanning and application source code review. All critical and high severity issues should be fixed before the mobile app can be published.
3. Maintenance – Tasks involved: Regular compliance checks, on-going maintenance and updates
After the Production stage, the mobile app will enter the Maintenance stage where on-going maintenance and updates are required to ensure the quality of the app. Regular compliance checks will also be performed.
ITSC will review the usage of the mobile apps and central services with the nominated business and technical contact persons through the coordination of their departmental Cybersecurity Coordinators (CSC). If the mobile app usage is low, owners of mobile apps could then decide if they need to decommission the apps to reduce maintenance cost. For high-risk mobile apps, compliance checks will be performed every two years. All identified security vulnerabilities have to be resolved.
4. Archive – Tasks involved: application decommission, backup and data removal
When the mobile app is no longer needed, it is recommended to remove the app from online stores to avoid maintenance cost. App stores sometimes will enforce mobile apps to comply with new requirements, and force to put mobile apps offline if they fail to comply.
4. Compliance of Mobile Apps
To facilitate the use of mobile apps on campus, the University provides a fundamental set of IT infrastructure and protection for mobile apps. Compliance to the proper use of these services and procedures is important to ensure the mobile app can be deployed securely, effectively and conveniently.
4.1 Mobile App Security Guideline and Compliance Check
All mobile apps published under HKUST must follow the Mobile App Security and Privacy Guideline. Mobile apps need to pass a compliance check before publishing to online stores. The usage of the mobile apps will be regularly reviewed. Regular compliance checks are also required after the apps are published. All critical issues identified will need to be resolved.
4.2 Authentication
Mobile apps nowadays often provide personalized functions and contents for different individuals. This usually requires the ability to identify individual users. The University IT infrastructure is designed to facilitate these needs.
For cybersecurity reasons, only mobile apps that are owned or sponsored by HKUST are eligible to utilize authentication infrastructure of the University to identify users.
4.3 Access to HKUST Data and Functions
It is common that a mobile app needs to access the data or functions provided by some existing systems in HKUST. For popular mobile apps, the resulting accesses to existing systems can be voluminous and may cause unexpected issues to the normal operation of existing systems.
To prevent adverse effects on or even disruptions to existing systems, the mobile app owner should first request consent from the respective system owners on such accesses, and follow the agreed approach to access the data or functions.
In order to ensure this process is manageable and effective, the University advocates the use of the Application Programming Interface (API) technology, conforming to common standards for mobile apps to access data and functions from other systems in an orderly and secure fashion.
4.4 App Publishing
Only mobile apps owned by HKUST will be published using the publisher identity of the University, after passing the compliance check. HKUST mobile app owners may contact ITSC and provide the necessary details for submission to both iOS App Store and Android Google Play. They may also contact ITSC to remove the apps from the stores if the apps are no longer useful.
5. Service Level Agreement
All service enquiry or requests related to mobile apps should be sent to mobileapps@ust.hk . Upon receiving your enquiry, a response should be expected within 2 working days. When all required information and compliance documents are received, access to the mobile app stores would be granted to your designated developer accounts within 3 working days. For requests involving other assistance from ITSC, users would be informed if a resolution could not be reached within 3 working days.
6. Summary of Mobile App Categories
| Mobile App Categories | ||||
| HKUST Official | HKUST Administrative | HKUST Learning | HKUST Community | |
| Description | Mobile apps representing the University to show UST members and the public the latest news and activities of the University | Mobile apps developed to cater for the needs of UST members, usually involving sensitive personal and confidential data. | Mobile apps designed specifically for learning and course-related activities | Mobile apps built by university members or the public to demonstrate innovative ideas and interests related to the University |
| Target Users | UST members and the public | UST staff, students and alumni | UST staff, students and alumni | UST members and the public |
| Functionality | Mobile apps are developed according to the requirements specified by a department, office, or unit in HKUST. | Mobile apps are specifically designed or customized for HKUST. They may be custom-built or adopted from third parties. | Mobile apps built to cater for a specific need and beneficial to UST members and the public. | |
| Ownership | Owned by a department or unit | Owned or sponsored by a department or unit | Owned by a department/ unit or by any individual | |
| Publishing | Published to mobile app stores under HKUST | Published under HKUST if the mobile app is developed or owned by a department or unit | ||
| Examples | m.HKUST (MTPC) |
HKUST Staff (ISO) HKUST Students (ISO) HKUST Alumni (ISO) |
HKUST iLearn (ITSC) CanTalk (LANG) Marine Biology (OCES) |
PathAdvisor (ITSC) PRAISE-HK-EXP (IENV) Embrace Blue Lantau (OCES) |
7. Useful Resources and References
7.1 Mobile App Security and Privacy Guideline
7.2 HKUST Mobile Application Development Guidelines
7.3 HKUST Branding and Website Guidelines
- https://pao.ust.hk/Bdownload/HKUST_Brand_guideline.pdf
- https://pao.ust.hk/Bdownload/HKUST_mobile_app_guideline.pdf
- https://pao.ust.hk/Bdownload/HKUST_website_guideline.pdf
For enquiry, please contact us at mobileapps@ust.hk .