How secure is the Microsoft Apps store in Windows 8

We all have iPhones and iPads.  We were orientated and within our own research, that prior Apple placing an apps in the Apple Apps Store, they test them for irregularities, security, etc. If all ok, Apple permits the apps to be downloaded from Apples Apps Store.

We wanted to know if Microsoft does something similar or how secure are the apps placed in the MS Apps Store.

(we placed iPhone zone incase an EE expert in Apple can include their comments)
Who is Participating?
ScobberConnect With a Mentor Commented:
Microsoft classifies each application and what privacy settings that it will violate.
Access to contact list
Access to location
Access to Pictures Library

Me as the developer cant ask the end user to agree to access to the pictures library and omit the location services if my application references location services.

There are some specifics on the platform. But you need to understand that with all these stores. How much do they actually do. Is the level of testing really that intensive on the apple store, or does the community just accept that they test it.

I cant answer your question definitively. But i can say that the developer has no control over what Microsoft tells the end user what my application has access to.

i cant write a application that reads the location, and reports the position using mobile data without the disclosure that This application requires location services and data access do you want it to run
Some of your questions are answered here:
rayluvsAuthor Commented:
Appreciate the link, we have various.  We placed the question because we are overwhelm with so much info that we have found; we need EE knowledge or experience in this matter.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

ScobberConnect With a Mentor Commented:
As a Windows Phone Developer,

Every app I develop for windows phone gets tested by Microsoft. They ensure that the application fits into their model of how things should be done, if there is anything untoward to the end user the application is rejected and the problems must be fixed before it is resubmitted.

Things that Microsoft can reject for is, Parts of the .NET framework targeted for countries where the use is sensitive. Bing maps in China, and high security export controls.

If the application consumes too much memory then the developer is asked to address the problem. the same is true for security concerns that Microsoft might have.

Before any application can be used on a normal device it must be signed by the developers code-signing certificate which is held at Microsoft. Part of the developers membership fee is for the code-signing certificate which for security reasons cannot be used by the developer directly.
rayluvsAuthor Commented:
Thank you very much!

How about issues of security? For example, you as a developer, you develop an apps that may have a hidden code where it sends contacts list to a server (for example).  Does Microsoft has these types of testing before permitting to appear in Ms Apps Store?
ded9Connect With a Mentor Commented:
You also have windows smart screen feature  which protects your computer from launching unwanted apps or data.

Control Panel\All Control Panel Items\Action Center

Links might help

smart screen does not apply to the "App Store" and Metro

While on a Win 7 Pro machine you can launch 3rd party apps, through the app sore you cant launch anything that has not passed the certification process. A windows RT machine (stock) cant launch anything that was not signed by a Microsoft root certificate.

I am aware these have been jailbroken, but in the stock configuration unless its a "Developer Unlocked" system or tablet, Then metro wont launch a single thing without Microsoft certification. rendering smartscreen moot.
rayluvsAuthor Commented:
Ok I think I understand, but let me put it way out there so we here can be clear as to what Microsoft test for (and this based on your own experience developing Apps for Ms Apps Store):

As you say "i cant write a application that reads the location, and reports the position using mobile data without the disclosure that This application requires location services and data access do you want it to run".

Now let say you write an application that the design is just run "ipconfig" and reports it to the user his/her screen.  However, you have a hidden code that "reads the contacts from the present Outlook and send it to your server".

Based on this, and as you indicated in "ID: 38825384" regarding privacy, when MS runs and tests your apps prior placing to the Store, does the testing detects that any code that may be accessing privacy data when the apps is not design to acces that specific privacy data?

Please note, we know you guys don't develop for malicious coding, we only want to set extreme condition and have your feedback because of your experience in this topic.

Again, thank you very much!
ScobberConnect With a Mentor Commented:
4.1.2 Your app must obtain opt-in or equivalent consent to share personal information

Your app can publish a customer’s personal information to a service or other person only after obtaining opt-in consent.

Opt-in consent means the customer gives their express permission for the requested activity, after you have:

a) Described to the customer how the information will be used or shared; and

b) Provided the customer a mechanism through which they can later rescind this permission and opt-out, while continuing to use the app.

If your app publishes a person’s personal information, but that person is not a customer, you must obtain express written consent to publish that personal information, and you must permit the person whose information is shared to withdraw that consent at any time. If your app allows a customer to access another person’s personal information, this requirement would also apply.

Personal information includes all information or data that could reasonably be used to identify a person. Examples of personal information include: contacts, photos, phone number, audio & video recordings, location, SMS or other text communication, images of the computer’s desktop or screen shots, unique identifiers based on the computer's hardware, and in some cases, combined browsing history.

4.2 Your app must respect system settings for notifications and remain functional when they are disabled

This includes the presentation of ads and notifications to the customer, which must also be consistent with the customer’s preferences, whether the notifications are provided by the Windows Push Notification Service or any other service. If a customer disables the notification function, either on an app-specific or a system-wide basis, your app must remain functional.

4.3 Your app must not jeopardize or compromise the security or functionality of the Windows system

Additionally, the app must not include, link to, distribute through the Windows Push Notification Service, or otherwise provide an entry point for viruses, malware, or any other malicious software, to access the customer’s Windows system. The app must not modify or delete customers’ data without their consent.

The Windows system includes the computer running Windows, any software running on that computer, and any computers or software communicating with that computer.

Windows Store Privacy Requirements
rayluvsAuthor Commented:
We think your answer just increased our concerne in how microsoft works woth our privacy and protection.  It seems that there is a loop hole in Ms privacy policy to protect the end-user.

With what you're saying, means a developer can insert malicious code as long as the developed apps obtains and opt-in or equivalent consent to share personal information of the user PC.

For example we downloaded "unpacker" apps from Ms Apps Store for windows 8.  The essence of the apps is just unzipping compressed files.  To apply what you're saying is that if the developer can obtain and opt-in for this app, he can include a code that would, when finishing unpacking a file, can go and access other user data and do whatever it wants.

Can something like this occur?  Can a developer insert coding not design of the original apps that would fringe in end-user privacy?

We are hoping we are formulating our original  question so it can ibe accurately answered accordingly.
ScobberConnect With a Mentor Commented:
Of course it *could* occur. Its also up to the end user to look at what a application requires and decide whether to allow it to access pictures, or data. I've seen heaps of applications on iTunes that want access to location services. But the app knowing your location does not give you a more "rich" experience from it knowing your location.

Its worth remembering that not even apple is immune to this type of attack
Malicious app penetrates iTunes store to test security

The users of these systems just assume there is work being done in the background to validate apps and there is no risk. And they get too complacent. When in actual fact nothing is perfect. particularly when you have determined people who would love to see the big tech companies red faced.

The thing to take away is yes this *could* happen.
However Microsoft (and Apple) will always do what's in the best interest of the user. The user is just as responsible for the applications they install and give access to particular systems on their smartphone or tablet.
rayluvsAuthor Commented:
rayluvsAuthor Commented:
Thanx All!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.