Guide to Mobile App Development and Publication

Background

On behalf of City University of Hong Kong, the Computing Services Centre (CSC) has subscribed the Apple Developer Program/Apple Developer Enterprise Program for Apple iOS platform and the Google Play Developer for Android platform under the name “City University of Hong Kong” (“CityU”). If departments wish to publish an app, which provides a university service, under “CityU” on the Apple App Store or the Google Play Store, please raise an online CSC Work Request.

The following sections summarize the guidelines on mobile app development and deployment. Please go through the following guidelines with your developer(s) to prepare for the app before kicking start the project.

About the App

Only mobile apps, which provide university services to the communities, are recommended to be published under “CityU” on the Apple App Store or the Google Play Store. Research projects or departmental apps, which target at limited group of staff and/or students, may be considered for distributing locally in the form of APK formatted file (for Android) or IPA* formatted file (for iOS).

*For distributing iOS IPA formatted file, a membership of Apple Developer Enterprise Program is required. Departments should submit the source code to the CSC for code review, compilation and signing with the CityU iOS Distribution Certificate. Please refer to the sections “App Coding and Design” and “App Security” below for details.

App Coding and Design

• In order to ensure the stability and the compatibility of the mobile apps, it is suggested that  mobile apps be developed with native codes (kotlin or Java for Android; and Swift or Objective-C for iOS).
• Adopt app icon template. Community-contributed apps should not use this icon template for any purpose except as may be authorized by the Univeristy.
• Follow mobile app naming convention
  • The app name should be prefix with “CityU” in the relevant app stores.
  • The app naming showing in the mobile devices should be shortened as “CityU” has been included in the app icon.
• Maintain app upgrade and expiry logic
• Adopt the University’s web content management system as far as feasible so to ensure content in the app be consistent with web sites.
• The mobile app owners are solely responsible for the accuracy and the propriety of their application contents.  They should also conform to the Policies on Use of IT Services and Resources and the prevailing policies.
• Developers should also be aware of the app development/quality guidelines provided by Apple and Google when developing iOS and Android mobile app respectively.
• Apple App Store Review Guidelines: https://developer.apple.com/app-store/review/guidelines/
• Google Quality guidelines: https://developer.android.com/docs/quality-guidelines/,
  especially the Core app quality: https://developer.android.com/docs/quality-guidelines/core-app-quality

Personal Data Collection

If the app will collect personal data, please observe the policy and procedures for handling personal data and ensure the personal data collected are proper handled. Detailed information can be found at the following URLs:

• https://www.cityu.edu.hk/vpad/stafflan/dept_data_security_privacy_officers.htm
• https://www.cityu.edu.hk/vpad/resources_from_PCPD.htm
  

App Security

• When the mobile app is ready to publish, the source code should be provided to the CSC for code review in order to ensure it meets the application security standard.  If no security issue is found, the app will be compiled, signed with CityU certificate*, and published to the Apple App Store and/or the Google Play Store by the CSC. (The code review process takes about 10 working days. After uploading the app to the Apple App Store, Apple will perform an app review, which usually takes 24 hours.  The app will then be released to the Apple App Store if no problem is found.  Therefore, you may expect it will take another 1-2 days for the app to be released in the Apple App Store and the Google Play Store after the code review.)
• If the mobile app communicates with other web applications, HTTPS protocol has to be used. The corresponding web applications should be hosted in servers resided within CityU Campus Network, and underwent a Web Application Vulnerability Scan performed by the CSC. Otherwise, prior approval should be obtained from the Director of Computing Services (DCS).
• If the mobile app enables push notification, the corresponding push notification server should be resided within CityU Campus Network.  The push notification applications should also underwent a Web Application Vulnerability Scan performed by the CSC.  Otherwise, prior approval should be obtained from the DCS.

*For security reasons, the CSC will not provide the iOS Distribution Certificate to departments/developers.

What should be submitted to the CSC

• Source code (as detailed in the previous section)
• Information  to be shown in the app store product page (e.g. screenshots, descriptions, videos, etc.) as described at the URLs below:
  • For Google Play Store: https://developer.android.com/distribute/best-practices/launch/store-listing
  • For Apple App Store: https://developer.apple.com/app-store/product-page/
• Specific keywords for searching purpose (optional)

Service Rights and Termination

Should the related web applications/servers, if any, become the target of a network attack or an investigation arisen from a security incident, the Central IT reserves the right to take any necessary actions (including, but not limited to, temporary suspension of the network traffic) in order to restore normal server or network operation. The Central IT may, without prior notice, take down the mobile app, if such mobile app violates the University policies. The Central IT will not be liable for any damage or loss resulted from such action.

 

IT.ServiceDesk@cityu.edu.hk