Microsoft enforces new Windows Phone Store policy; removes apps with vulnerabilities

By Rich Edmonds
published

Microsoft has announced this week that it will be removing Windows Phone apps that the company deems to have critical vulnerabilities. Microsoft notes in a TechNet blog post that developers will be provided 180 days to patch the issues in their app or their work will be pulled from the store, preventing consumers from accessing the app from their smartphones or via the web.

The 180 day guideline is in place for apps that have not been exploited in the wild. For those that have vulnerabilities and have been exploited, Microsoft reports that it may look at removing said offending app even sooner. This policy spans across the Windows Phone Store, but it will also cover the Office Store and Azure Marketplace.  

Dustin Childs, the Group Manager for Response Communications for Microsoft Trustworthy Computing, noted the following in a previous blog post:

"We want our customers to know that, if there's a problem, we'll be working on a solution. But there are some things that can affect your computing experience that I can't directly control. For example, we can't directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated."

Microsoft actively publishes vulnerabilities found in its own suite of apps and services, including Internet Explorer. We welcome this move by Microsoft to really tackle the issue with app security and third-party developers. We've previously looked at the issue with spam apps on the Windows Phone Store and while Mcirosoft has been slow to act on such content, it's definitely more important to square away potential security threats.

Windows Phone is still growing as a platform and Redmond certainly needs to show the world of consumers that it's both safe and secure to use Windows Phone and apps available on the store, especially if it's to heavily promote the likes of Kid's Corner.

Source: TechNet (opens in new tab), via: InfoWorld (opens in new tab)

Rich Edmonds
Rich Edmonds
Senior Editor, PC Build

Rich Edmonds was formerly a Senior Editor of PC hardware at Windows Central, covering everything related to PC components and NAS. He's been involved in technology for more than a decade and knows a thing or two about the magic inside a PC chassis. You can follow him on Twitter at @RichEdmonds.

43 Comments
  • Awesome, finally and thank you from a user/consumer perspective!
  • I see credit card numbers...
  • 4567? Hmmm
  • Android has better security /Troll
  • Yeah, troll.
  • <p>are you crazy android has the worst security of all the mobile os everybody including google knows this</p>
  • <p>androids security sucks the just found a big security hole in android plus its one of the only mobile os that you need a antivirus software if you think it more secure. All I got to say I wow your asking to get you data stolen by some software that google let on there store becuz they take forever before they scan it good luck with that</p>
  • Pretty sure he was joking, folks... relax, lol.
  • Yea lmao he was being sarcastic
  • First!
  • [Long, slow clap you often see in movies.]
  • Lmbo good one
  • Giving the wierd look at the lonly claping guy in the hall. :P
  • +1
  • Why does MS have to do be so much the opposite of Google?  /s
  • Still remember Windows Phone's first slogan? Put people first.
  • Like its slogan: Put people first (not money).
  • Put peoples money first
  • It's just your own opinion, while I agree about that slogan if you refer it to others than MSFT (AAPL or GOOG).
  • Sounds good.
  • By this does it mean only security vulnerabilities or even the apps need to be more optimized and not have any vulnerability in its operation?
  • Maybe make a change log mandatory
  • Would certainly help!
  • +920
  • 180 days is too long. 60 days then remove them and issue refunds.
  • Very happy to see this is why I trust my data with Microsoft the most!
  • As much as I dislike Apple, I would trust them with my data... just not my wallet.
  • *Microsoft
    2nd to last paragraph it says: Mcirosoft
  • +1
  • I'm curious given the sandboxed nature of apps as to exactly what vulnerabilities can exist here.  If an app itself is doing something malicous, it should be instantly removed.
    Is this more if the SDK is found to include vulnerabilities that developers may need to resubmit apps against an updated SDK.
  • I think it's more about the SDK or just general security leaks such as not encrypting data streams and the like. Regardless, I'm okay with them taking a stand on security... even if it's just a hypothetical exploit, it's always better to choose safety first.
  • one of the main reason why i'm sticking with WP.. bumping up the security is one thing... bumping up the APP count is another.. 
  • So, Will Whatsapp fall under 
    "... For example, we can't directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated."
    :frustrated user:
  • He was being sarcastic
  • Whatsapp has 119 days lol hahaha
  • Lool whatsapp :/
  • I feel like Kik Messenger is in the same boat.
  • The real headline here should be "MS allows apps with known critical vulnerabilities to remain in store anyway".  180 days??  They should stop distributing them immediately!  Provided they are able to give sufficient details to the developer, anyway, which they should be able to.  Also, how do they know whether these vulnerabilities have been exploited or not?  How is it responsible behavior to continue distributing apps with known critical vulnerabilities in an app store where they have total control?  And of course they don't automatically know about every vulnerability that exists.
     
    I could imagine a possible exemption if the vulnerability was caused by Microsoft.  Then it would be reasonable to give the developer maybe as much as 30-60 days after a fix becomes possible.  But otherwise, forget it.
     
    Btw, I'm talking about stopping distribution to new users, same as the story, which is not such a drastic measure as say, a kill switch for existing users.  Although it would be good to automatically notify those users or at least give them some way to find out which vulnerable apps they're using (especially finance-related apps!) so they can act accordingly to protect themselves.
  • I agree tgr42! If its a security risk, pull the app from the store until a update or fix has been submitted.
  • another reason to stay on wp
  • I guess anything Google will be removed now lol.
  • This is why android's app market fails. Microsoft is doing the right thing. Good Job MS!
  • What does it mean by critical vulnerabilities?