Microsoft enforces new Windows Phone Store policy; removes apps with vulnerabilities


Microsoft has announced this week that it will be removing Windows Phone apps that the company deems to have critical vulnerabilities. Microsoft notes in a TechNet blog post that developers will be provided 180 days to patch the issues in their app or their work will be pulled from the store, preventing consumers from accessing the app from their smartphones or via the web.

The 180 day guideline is in place for apps that have not been exploited in the wild. For those that have vulnerabilities and have been exploited, Microsoft reports that it may look at removing said offending app even sooner. This policy spans across the Windows Phone Store, but it will also cover the Office Store and Azure Marketplace.  

Dustin Childs, the Group Manager for Response Communications for Microsoft Trustworthy Computing, noted the following in a previous blog post:

"We want our customers to know that, if there's a problem, we'll be working on a solution. But there are some things that can affect your computing experience that I can't directly control. For example, we can't directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated."

Microsoft actively publishes vulnerabilities found in its own suite of apps and services, including Internet Explorer. We welcome this move by Microsoft to really tackle the issue with app security and third-party developers. We've previously looked at the issue with spam apps on the Windows Phone Store and while Mcirosoft has been slow to act on such content, it's definitely more important to square away potential security threats.

Windows Phone is still growing as a platform and Redmond certainly needs to show the world of consumers that it's both safe and secure to use Windows Phone and apps available on the store, especially if it's to heavily promote the likes of Kid's Corner.

Source: TechNet, via: InfoWorld



There are 43 comments. Sign in to comment

rreszler says:

Awesome, finally and thank you from a user/consumer perspective!

WPSteve says:

I see credit card numbers...

Android has better security /Troll

jdholland79 says:

<p>are you crazy android has the worst security of all the mobile os everybody including google knows this</p>

jdholland79 says:

<p>androids security sucks the just found a big security hole in android plus its one of the only mobile os that you need a antivirus software if you think it more secure. All I got to say I wow your asking to get you data stolen by some software that google let on there store becuz they take forever before they scan it good luck with that</p>

Pretty sure he was joking, folks... relax, lol.

Yea lmao he was being sarcastic

AriesDog says:

[Long, slow clap you often see in movies.]

Nakazul says:

Giving the wierd look at the lonly claping guy in the hall. :P

tribexx says:

Why does MS have to do be so much the opposite of Google?  /s

Eas195 says:

Still remember Windows Phone's first slogan? Put people first.

Eas195 says:

Like its slogan: Put people first (not money).

Put peoples money first

Eas195 says:

It's just your own opinion, while I agree about that slogan if you refer it to others than MSFT (AAPL or GOOG).

Ankmeyester says:

By this does it mean only security vulnerabilities or even the apps need to be more optimized and not have any vulnerability in its operation?

adrian1338 says:

Maybe make a change log mandatory

Would certainly help!

Jazmac says:

180 days is too long. 60 days then remove them and issue refunds.

Very happy to see this is why I trust my data with Microsoft the most!

As much as I dislike Apple, I would trust them with my data... just not my wallet.

2nd to last paragraph it says: Mcirosoft

realwarder says:

I'm curious given the sandboxed nature of apps as to exactly what vulnerabilities can exist here.  If an app itself is doing something malicous, it should be instantly removed.
Is this more if the SDK is found to include vulnerabilities that developers may need to resubmit apps against an updated SDK.

I think it's more about the SDK or just general security leaks such as not encrypting data streams and the like. Regardless, I'm okay with them taking a stand on security... even if it's just a hypothetical exploit, it's always better to choose safety first.

b3rni3703 says:

one of the main reason why i'm sticking with WP.. bumping up the security is one thing... bumping up the APP count is another.. 

makarand14 says:

So, Will Whatsapp fall under 

"... For example, we can't directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated."

:frustrated user:

aitt says:

He was being sarcastic

Darren Walsh says:

Whatsapp has 119 days lol hahaha

Vb2012 says:

Lool whatsapp :/

I feel like Kik Messenger is in the same boat.

tgr42 says:

The real headline here should be "MS allows apps with known critical vulnerabilities to remain in store anyway".  180 days??  They should stop distributing them immediately!  Provided they are able to give sufficient details to the developer, anyway, which they should be able to.  Also, how do they know whether these vulnerabilities have been exploited or not?  How is it responsible behavior to continue distributing apps with known critical vulnerabilities in an app store where they have total control?  And of course they don't automatically know about every vulnerability that exists.
I could imagine a possible exemption if the vulnerability was caused by Microsoft.  Then it would be reasonable to give the developer maybe as much as 30-60 days after a fix becomes possible.  But otherwise, forget it.
Btw, I'm talking about stopping distribution to new users, same as the story, which is not such a drastic measure as say, a kill switch for existing users.  Although it would be good to automatically notify those users or at least give them some way to find out which vulnerable apps they're using (especially finance-related apps!) so they can act accordingly to protect themselves.

Dean Hepper says:

I agree tgr42! If its a security risk, pull the app from the store until a update or fix has been submitted.

sumton says:

another reason to stay on wp

Kadcidxa says:

I guess anything Google will be removed now lol.

Colby Lee says:

This is why android's app market fails. Microsoft is doing the right thing. Good Job MS!

What does it mean by critical vulnerabilities?