43

Microsoft enforces new Windows Phone Store policy; removes apps with vulnerabilities

Store

Microsoft has announced this week that it will be removing Windows Phone apps that the company deems to have critical vulnerabilities. Microsoft notes in a TechNet blog post that developers will be provided 180 days to patch the issues in their app or their work will be pulled from the store, preventing consumers from accessing the app from their smartphones or via the web.

The 180 day guideline is in place for apps that have not been exploited in the wild. For those that have vulnerabilities and have been exploited, Microsoft reports that it may look at removing said offending app even sooner. This policy spans across the Windows Phone Store, but it will also cover the Office Store and Azure Marketplace.  

Dustin Childs, the Group Manager for Response Communications for Microsoft Trustworthy Computing, noted the following in a previous blog post:

"We want our customers to know that, if there's a problem, we'll be working on a solution. But there are some things that can affect your computing experience that I can't directly control. For example, we can't directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated."

Microsoft actively publishes vulnerabilities found in its own suite of apps and services, including Internet Explorer. We welcome this move by Microsoft to really tackle the issue with app security and third-party developers. We've previously looked at the issue with spam apps on the Windows Phone Store and while Mcirosoft has been slow to act on such content, it's definitely more important to square away potential security threats.

Windows Phone is still growing as a platform and Redmond certainly needs to show the world of consumers that it's both safe and secure to use Windows Phone and apps available on the store, especially if it's to heavily promote the likes of Kid's Corner.

Source: TechNet, via: InfoWorld

6
loading...
0
loading...
46
loading...
0
loading...

Reader comments

Microsoft enforces new Windows Phone Store policy; removes apps with vulnerabilities

43 Comments

<p>androids security sucks the just found a big security hole in android plus its one of the only mobile os that you need a antivirus software if you think it more secure. All I got to say I wow your asking to get you data stolen by some software that google let on there store becuz they take forever before they scan it good luck with that</p>

It's just your own opinion, while I agree about that slogan if you refer it to others than MSFT (AAPL or GOOG).

By this does it mean only security vulnerabilities or even the apps need to be more optimized and not have any vulnerability in its operation?

I'm curious given the sandboxed nature of apps as to exactly what vulnerabilities can exist here.  If an app itself is doing something malicous, it should be instantly removed.
Is this more if the SDK is found to include vulnerabilities that developers may need to resubmit apps against an updated SDK.

I think it's more about the SDK or just general security leaks such as not encrypting data streams and the like. Regardless, I'm okay with them taking a stand on security... even if it's just a hypothetical exploit, it's always better to choose safety first.

one of the main reason why i'm sticking with WP.. bumping up the security is one thing... bumping up the APP count is another.. 

So, Will Whatsapp fall under 

"... For example, we can't directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated."

:frustrated user:

The real headline here should be "MS allows apps with known critical vulnerabilities to remain in store anyway".  180 days??  They should stop distributing them immediately!  Provided they are able to give sufficient details to the developer, anyway, which they should be able to.  Also, how do they know whether these vulnerabilities have been exploited or not?  How is it responsible behavior to continue distributing apps with known critical vulnerabilities in an app store where they have total control?  And of course they don't automatically know about every vulnerability that exists.
 
I could imagine a possible exemption if the vulnerability was caused by Microsoft.  Then it would be reasonable to give the developer maybe as much as 30-60 days after a fix becomes possible.  But otherwise, forget it.
 
Btw, I'm talking about stopping distribution to new users, same as the story, which is not such a drastic measure as say, a kill switch for existing users.  Although it would be good to automatically notify those users or at least give them some way to find out which vulnerable apps they're using (especially finance-related apps!) so they can act accordingly to protect themselves.