Windows Phone Store permissions flaw patched by Microsoft, allowed apps to access photos

The Windows Phone Store received a bug fix recently, closing a hole that allowed developers to publish applications that can access a user’s photo library without their permission. The quirk was originally brought to our attention by developer Al Gihuni, who makes the popular Sound Cloud app SoundClone for Windows Phone (don't worry, that app is safe).

Gihuni demonstrated this quirk for us by submitting a test app to the Store –  seen in this article's images –  that required three capabilities: access to your photo library, phone identity, and owner identity. After passing through Microsoft’s certification processes, we opened up the Store app and navigated to the app listing. The listing only indicated the app needed phone and owner identity access, with no mention of access to the photo library.

Test app 'TicTacHum' walks us through the flaw

A deep dive into the app’s XAP and source code revealed no tricks, like obfuscation, were involved. In fact, we were able to reproduce the issue with our own simple submission. It's important to note, however, the app did not exploit a flaw in the underlying operating system. It properly indicated via its app manifest that photo library access was required. But this information wasn't surfaced to the user making the final install call. And that's where we have an issue.

With the Store being the only place for users to evaluate an application’s permission set, these kinds of issues can be dangerous. A rogue actor, for example, could pass a clone of Flappy Birds through the Store and quietly access a user’s photo library, collecting and uploading the photos to a remote server. Photo leaks are especially dangerous, as they often contain rich metadata, such as location info.

'TicTacHum' has access to our photos, though we didn't agree to that

As far as we know, an app exploiting this flaw never made it to the Store. And as of today, we can say that this flaw has been patched, after we raised the issue with Microsoft late last week.

Rafael Rivera