Solved

How secure is the Microsoft Apps store in Windows 8

Posted on 2013-01-27
13
481 Views
Last Modified: 2014-11-12
We all have iPhones and iPads.  We were orientated and within our own research, that prior Apple placing an apps in the Apple Apps Store, they test them for irregularities, security, etc. If all ok, Apple permits the apps to be downloaded from Apples Apps Store.

We wanted to know if Microsoft does something similar or how secure are the apps placed in the MS Apps Store.

(we placed iPhone zone incase an EE expert in Apple can include their comments)
0
Comment
Question by:rayluvs
13 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 38824929
Some of your questions are answered here: http://en.wikipedia.org/wiki/Windows_Store
0
 

Author Comment

by:rayluvs
ID: 38824950
Appreciate the link, we have various.  We placed the question because we are overwhelm with so much info that we have found; we need EE knowledge or experience in this matter.
0
 
LVL 7

Assisted Solution

by:Scobber
Scobber earned 400 total points
ID: 38825005
As a Windows Phone Developer,

Every app I develop for windows phone gets tested by Microsoft. They ensure that the application fits into their model of how things should be done, if there is anything untoward to the end user the application is rejected and the problems must be fixed before it is resubmitted.

Things that Microsoft can reject for is, Parts of the .NET framework targeted for countries where the use is sensitive. Bing maps in China, and high security export controls.

If the application consumes too much memory then the developer is asked to address the problem. the same is true for security concerns that Microsoft might have.

Before any application can be used on a normal device it must be signed by the developers code-signing certificate which is held at Microsoft. Part of the developers membership fee is for the code-signing certificate which for security reasons cannot be used by the developer directly.
0
 

Author Comment

by:rayluvs
ID: 38825070
Thank you very much!

How about issues of security? For example, you as a developer, you develop an apps that may have a hidden code where it sends contacts list to a server (for example).  Does Microsoft has these types of testing before permitting to appear in Ms Apps Store?
0
 
LVL 7

Accepted Solution

by:
Scobber earned 400 total points
ID: 38825384
Microsoft classifies each application and what privacy settings that it will violate.
Eg.
Access to contact list
Access to location
Access to Pictures Library
etc...

Me as the developer cant ask the end user to agree to access to the pictures library and omit the location services if my application references location services.

There are some specifics on the platform. But you need to understand that with all these stores. How much do they actually do. Is the level of testing really that intensive on the apple store, or does the community just accept that they test it.

I cant answer your question definitively. But i can say that the developer has no control over what Microsoft tells the end user what my application has access to.

i cant write a application that reads the location, and reports the position using mobile data without the disclosure that This application requires location services and data access do you want it to run
0
 
LVL 30

Assisted Solution

by:ded9
ded9 earned 100 total points
ID: 38825861
You also have windows smart screen feature  which protects your computer from launching unwanted apps or data.

Control Panel\All Control Panel Items\Action Center

Links might help

http://msdn.microsoft.com/en-in/library/windows/apps/hh694083.aspx
http://msdn.microsoft.com/en-in/library/windows/apps/br230836.aspx


Ded9
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Expert Comment

by:Scobber
ID: 38825942
smart screen does not apply to the "App Store" and Metro

While on a Win 7 Pro machine you can launch 3rd party apps, through the app sore you cant launch anything that has not passed the certification process. A windows RT machine (stock) cant launch anything that was not signed by a Microsoft root certificate.

I am aware these have been jailbroken, but in the stock configuration unless its a "Developer Unlocked" system or tablet, Then metro wont launch a single thing without Microsoft certification. rendering smartscreen moot.
0
 

Author Comment

by:rayluvs
ID: 38829763
Ok I think I understand, but let me put it way out there so we here can be clear as to what Microsoft test for (and this based on your own experience developing Apps for Ms Apps Store):

As you say "i cant write a application that reads the location, and reports the position using mobile data without the disclosure that This application requires location services and data access do you want it to run".

Now let say you write an application that the design is just run "ipconfig" and reports it to the user his/her screen.  However, you have a hidden code that "reads the contacts from the present Outlook and send it to your server".

Based on this, and as you indicated in "ID: 38825384" regarding privacy, when MS runs and tests your apps prior placing to the Store, does the testing detects that any code that may be accessing privacy data when the apps is not design to acces that specific privacy data?

Please note, we know you guys don't develop for malicious coding, we only want to set extreme condition and have your feedback because of your experience in this topic.

Again, thank you very much!
0
 
LVL 7

Assisted Solution

by:Scobber
Scobber earned 400 total points
ID: 38829982
4.1.2 Your app must obtain opt-in or equivalent consent to share personal information

Your app can publish a customer’s personal information to a service or other person only after obtaining opt-in consent.

Opt-in consent means the customer gives their express permission for the requested activity, after you have:

a) Described to the customer how the information will be used or shared; and

b) Provided the customer a mechanism through which they can later rescind this permission and opt-out, while continuing to use the app.

If your app publishes a person’s personal information, but that person is not a customer, you must obtain express written consent to publish that personal information, and you must permit the person whose information is shared to withdraw that consent at any time. If your app allows a customer to access another person’s personal information, this requirement would also apply.

Personal information includes all information or data that could reasonably be used to identify a person. Examples of personal information include: contacts, photos, phone number, audio & video recordings, location, SMS or other text communication, images of the computer’s desktop or screen shots, unique identifiers based on the computer's hardware, and in some cases, combined browsing history.

4.2 Your app must respect system settings for notifications and remain functional when they are disabled

This includes the presentation of ads and notifications to the customer, which must also be consistent with the customer’s preferences, whether the notifications are provided by the Windows Push Notification Service or any other service. If a customer disables the notification function, either on an app-specific or a system-wide basis, your app must remain functional.

4.3 Your app must not jeopardize or compromise the security or functionality of the Windows system

Additionally, the app must not include, link to, distribute through the Windows Push Notification Service, or otherwise provide an entry point for viruses, malware, or any other malicious software, to access the customer’s Windows system. The app must not modify or delete customers’ data without their consent.

The Windows system includes the computer running Windows, any software running on that computer, and any computers or software communicating with that computer.

Windows Store Privacy Requirements
0
 

Author Comment

by:rayluvs
ID: 38831286
We think your answer just increased our concerne in how microsoft works woth our privacy and protection.  It seems that there is a loop hole in Ms privacy policy to protect the end-user.

With what you're saying, means a developer can insert malicious code as long as the developed apps obtains and opt-in or equivalent consent to share personal information of the user PC.

For example we downloaded "unpacker" apps from Ms Apps Store for windows 8.  The essence of the apps is just unzipping compressed files.  To apply what you're saying is that if the developer can obtain and opt-in for this app, he can include a code that would, when finishing unpacking a file, can go and access other user data and do whatever it wants.

Can something like this occur?  Can a developer insert coding not design of the original apps that would fringe in end-user privacy?

We are hoping we are formulating our original  question so it can ibe accurately answered accordingly.
0
 
LVL 7

Assisted Solution

by:Scobber
Scobber earned 400 total points
ID: 38832693
Of course it *could* occur. Its also up to the end user to look at what a application requires and decide whether to allow it to access pictures, or data. I've seen heaps of applications on iTunes that want access to location services. But the app knowing your location does not give you a more "rich" experience from it knowing your location.

Its worth remembering that not even apple is immune to this type of attack
Malicious app penetrates iTunes store to test security

The users of these systems just assume there is work being done in the background to validate apps and there is no risk. And they get too complacent. When in actual fact nothing is perfect. particularly when you have determined people who would love to see the big tech companies red faced.

The thing to take away is yes this *could* happen.
However Microsoft (and Apple) will always do what's in the best interest of the user. The user is just as responsible for the applications they install and give access to particular systems on their smartphone or tablet.
0
 

Author Comment

by:rayluvs
ID: 38833642
Thanx
0
 

Author Closing Comment

by:rayluvs
ID: 38833658
Thanx All!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now