Mobile App Development and Publication Guidelines
Background
Central IT subscribed to the Apple Developer Program/Apple Developer Enterprise Program for Apple iOS platform and the Google Play Developer for Android platform under the name “City University of Hong Kong” (“CityU”). Mobile apps providing university services to the communities can be published under “City University of Hong Kong” on the Apple App Store or the Google Play Store. Research projects or departmental apps, which target at a limited group of staff and/or students, may consider distributing the apps using in the format of APK for Android or IPA for iOS.
If departments wish to publish an app to these stores related to their operations, departments should raise an online CSC Work Request. To speed up the process, departments are advised to send this information to the developer(s) before kicking start the project.
App Review
Regardless of distribution channels, all apps distributed/published with "City University of Hong Kong" affiliation require source code review for security by the Central IT. The Central IT shall review the followings:
- Relevance with City University of Hong Kong;
- User sign-up and authentication mechanism;
(if applicable, developer should leverage the institution's identity access management solution to authenticate users using either OAuth, SAML, or Open ID Connect) - The system and system architecture of the application servers (Web, API, etc) interacting with the app;
- Communication protocol (encrypted communication protocol such as https must be used);
- Data Storage
The data collected or generated should be stored in secured data repository. Personal data should be encrypted. - Web Applications Security
The corresponding web applications should be hosted in servers and underwent a Web Application Vulnerability Scan performed by the Information Security Unit (ISU) of OCIO. - Mobile device functionalities settings on need basis (ie. Push Notifications, Camera, Mic, Bluetooth, GPS, Storage, etc);
- Push notification mechanism adopted;
- Proper use of CityU logos and adherence to the App Icon Design Guidelines.
Once the Central IT review is completed, the app will be compiled and signed with CityU certificates* and be published to the Apple App Store and/or the Google Play Store by the CSC. Depending on the complexity, the review process may take about 10 working days. For Apple App Store, the app will be further reviewed by Apple, which may take from one day to multiple weeks. Uppon approval, the app will then be released to the Apple App Store. Therefore, you may expect the whole process to take at least a week to complete before they are published.
* For security reasons, the CSC will not provide the iOS Distribution Certificate to departments/developers.
What should be submitted to the Central IT
- Source code (as detailed in the previous section)
- App details such as name, description, screenshots, targetted users, etc. Insufficient information will usually result in many unnecessary email communications back and forth.
- Information to be shown in the app store product page (e.g.
screenshots, descriptions, videos, etc.) as described at the URLs
below:
- For Google Play Store: https://developer.android.com/distribute/best-practices/launch/store-listing
- For Apple App Store: https://developer.apple.com/app-store/product-page/
- Specific keywords for searching purpose (optional)
Recommended Coding Standards
- In order to ensure the stability and the compatibility of the mobile
apps, it is suggested that mobile apps be developed with native
codes (kotlin or
Java for Android; and Swift or Objective-C for
iOS).
- Use of opensource development kit for UI or widely adopted
frameworks such as Flutter or React Native is strongly recommended.
- Adopt app
icon template. Community-contributed apps
should not use this icon template for any purpose except as may
be authorized by the University.
- Follow mobile app naming convention
- The app name should be prefixed with “CityU” in the
relevant app stores.
- The app naming showing in the mobile devices should have
“CityU” be removed as it has been included in the app icon.
- Maintain app
upgrade and expiry logic.
- If the mobile app is an app version of a website, adopt the
University’s web content management system as far as feasible so as
to ensure the contents in the app be consistent with the
corresponding website.
- Developers should also be aware of the app development/quality
guidelines provided by Apple and Google when developing iOS and
Android mobile app respectively.
- Apple App Store Review Guidelines: https://developer.apple.com/app-store/review/guidelines/
- Google Quality Guidelines: https://developer.android.com/docs/quality-guidelines/,
especially the Core app quality: https://developer.android.com/docs/quality-guidelines/core-app-quality
App Owners Responsibilities
- The app name should be prefixed with “CityU” in the relevant app stores.
- The app naming showing in the mobile devices should have “CityU” be removed as it has been included in the app icon.
- Apple App Store Review Guidelines: https://developer.apple.com/app-store/review/guidelines/
- Google Quality Guidelines: https://developer.android.com/docs/quality-guidelines/,
especially the Core app quality: https://developer.android.com/docs/quality-guidelines/core-app-quality
The mobile app owners are solely responsible for the accuracy and the propriety of their application contents. They should also abide by policies relevant but not limited to those published in the ITS website, such as Policies on Use of IT Services and Resources.
If the app will collect personal data, please observe the policy and procedures for handling personal data and ensure the personal data collected are properly handled. Detailed information can be found at the following URLs:
- https://www.cityu.edu.hk/fo/dataprotection/stafflan/dept_data_security_privacy_officers.htm
- https://www.cityu.edu.hk/fo/dataprotection/resources_from_PCPD.htm
Should the related web applications/servers, if any, become the target of a network attack or an investigation arisen from a security incident, the Central IT reserves the right to take any necessary actions (including, but not limited to, temporary suspension of the network traffic) in order to restore normal server or network operation. The Central IT may, without prior notice, take down the mobile app, if such mobile app violates the University policies. The Central IT will not be liable for any damage or loss resulted from such action.
App icon template
for Adobe Illustrator CS5 or above
Instructions
- The upper region (University Identity) must follow the design from App Icon Template. The "CityU HK" abbreviation, colors, white spaces and style of any of the elements there should not be manipulated in any way.
- The lower region (App Identity) could be designed to match the tone of individual apps. A set of pre-defined backgrounds are provided in the template for quick start-up.
App upgrade and expiry logic
Usually, mobile OS (iOS and Android) will have a major release every year, with additional capability and security patches. Therefore, mobile app developer should update the mobile app at least once every 18 months, to provide better end-user experience and to support the newly released mobile OS and devices.
Application logic should be built to enforce users to update to a minimum required version when necessary. The logic should also handle application decommissioning by preventing users from further using the app that is already installed on their mobile devices.