Mobile App Development and Publication Guidelines

These guidelines do not apply to apps published by individual student, staff, or non-CityU organisation.

Background

Central IT subscribed to the Apple Developer Program/Apple Developer Enterprise Program for Apple iOS platform and the Google Play Developer for Android platform under the name “City University of Hong Kong” (“CityU”).  Mobile apps providing university services to the communities can be published under “City University of Hong Kong” on the Apple App Store or the Google Play Store.  Research projects or departmental apps, which target at a limited group of staff and/or students, may consider distributing the apps using in the format of APK for Android or IPA for iOS.

If departments wish to publish an app to these stores related to their operations, departments should raise an online CSC Work Request.  To speed up the process, departments are advised to send this information to the developer(s) before kicking start the project.

App Review

Regardless of distribution channels, all apps distributed/published with "City University of Hong Kong" affiliation require source code review for security by the Central IT.  The Central IT shall review the followings:

  1. Relevance with City University of Hong Kong;
  2. User sign-up and authentication mechanism;
    (if applicable, developer should leverage the institution's identity access management solution to authenticate users using either OAuth, SAML, or Open ID Connect)
  3. The system and system architecture of the application servers (Web, API, etc) interacting with the app;
  4. Communication protocol (encrypted communication protocol such as https must be used);
  5. Data Storage
    The data collected or generated should be stored in secured data repository.  Personal data should be encrypted.
  6. Web Applications Security
    The corresponding web applications should be hosted in servers and underwent a Web Application Vulnerability Scan performed by the Information Security Unit (ISU) of OCIO.
  7. Mobile device functionalities settings on need basis (ie. Push Notifications, Camera, Mic, Bluetooth, GPS, Storage, etc);
  8. Push notification mechanism adopted;
  9. Proper use of CityU logos and adherence to the App Icon Design Guidelines.

Once the Central IT review is completed, the app will be compiled and signed with CityU certificates* and be published to the Apple App Store and/or the Google Play Store by the CSC.  Depending on the complexity, the review process may take about 10 working days.  For Apple App Store, the app will be further reviewed by Apple, which may take from one day to multiple weeks.  Uppon approval, the app will then be released to the Apple App Store.  Therefore, you may expect the whole process to take at least a week to complete before they are published.

* For security reasons, the CSC will not provide the iOS Distribution Certificate to departments/developers.


What should be submitted to the Central IT



Recommended Coding Standards

  • In order to ensure the stability and the compatibility of the mobile apps, it is suggested that mobile apps be developed with native codes (kotlin or Java for Android; and Swift or Objective-C for iOS).
  • Use of opensource development kit for UI or widely adopted frameworks such as Flutter or React Native is strongly recommended.
  • Adopt app icon template.  Community-contributed apps should not use this icon template for any purpose except as may be authorized by the University.
  • Follow mobile app naming convention
    • The app name should be prefixed with “CityU” in the relevant app stores.
    • The app naming showing in the mobile devices should have “CityU” be removed as it has been included in the app icon.
  • Maintain app upgrade and expiry logic.
  • If the mobile app is an app version of a website, adopt the University’s web content management system as far as feasible so as to ensure the contents in the app be consistent with the corresponding website.
  • Developers should also be aware of the app development/quality guidelines provided by Apple and Google when developing iOS and Android mobile app respectively.


App Owners Responsibilities

The mobile app owners are solely responsible for the accuracy and the propriety of their application contents.  They should also abide by policies relevant but not limited to those published in the ITS website, such as Policies on Use of IT Services and Resources

If the app will collect personal data, please observe the policy and procedures for handling personal data and ensure the personal data collected are properly handled.  Detailed information can be found at the following URLs:

Should the related web applications/servers, if any, become the target of a network attack or an investigation arisen from a security incident, the Central IT reserves the right to take any necessary actions (including, but not limited to, temporary suspension of the network traffic) in order to restore normal server or network operation. The Central IT may, without prior notice, take down the mobile app, if such mobile app violates the University policies.  The Central IT will not be liable for any damage or loss resulted from such action.



App icon template

Download app icon template
for Adobe Illustrator CS5 or above
template1.png
template2.png
template3.png
template4_0.png
template5.png
template6.png

Instructions

  • The upper region (University Identity) must follow the design from App Icon Template. The "CityU HK" abbreviation, colors, white spaces and style of any of the elements there should not be manipulated in any way.
  • The lower region (App Identity) could be designed to match the tone of individual apps. A set of pre-defined backgrounds are provided in the template for quick start-up.
mobile-app-alteration.png


App upgrade and expiry logic

Usually, mobile OS (iOS and Android) will have a major release every year, with additional capability and security patches. Therefore, mobile app developer should update the mobile app at least once every 18 months, to provide better end-user experience and to support the newly released mobile OS and devices.

Application logic should be built to enforce users to update to a minimum required version when necessary. The logic should also handle application decommissioning by preventing users from further using the app that is already installed on their mobile devices.