Windows Phone Store permissions flaw patched by Microsoft, allowed apps to access photos

The Windows Phone Store received a bug fix recently, closing a hole that allowed developers to publish applications that can access a user’s photo library without their permission. The quirk was originally brought to our attention by developer Al Gihuni, who makes the popular Sound Cloud app SoundClone for Windows Phone (don't worry, that app is safe).

Gihuni demonstrated this quirk for us by submitting a test app to the Store –  seen in this article's images –  that required three capabilities: access to your photo library (opens in new tab), phone identity, and owner identity. After passing through Microsoft’s certification processes, we opened up the Store app and navigated to the app listing. The listing only indicated the app needed phone and owner identity access, with no mention of access to the photo library.

Test app 'TicTacHum' walks us through the flaw

A deep dive into the app’s XAP and source code revealed no tricks, like obfuscation, were involved. In fact, we were able to reproduce the issue with our own simple submission. It's important to note, however, the app did not exploit a flaw in the underlying operating system. It properly indicated via its app manifest (opens in new tab) that photo library access was required. But this information wasn't surfaced to the user making the final install call. And that's where we have an issue.

With the Store being the only place for users to evaluate an application’s permission set, these kinds of issues can be dangerous. A rogue actor, for example, could pass a clone of Flappy Birds through the Store and quietly access a user’s photo library, collecting and uploading the photos to a remote server. Photo leaks are especially dangerous, as they often contain rich metadata, such as location info.

'TicTacHum' has access to our photos, though we didn't agree to that

As far as we know, an app exploiting this flaw never made it to the Store. And as of today, we can say that this flaw has been patched, after we raised the issue with Microsoft late last week.

  • "Meh, you are so amateur :\" Wow dude. Harsh.
  • No, your name is harsh. Telling dinosaurs that they can only live once... Have you seen Jurassic Park? Try telling them they only live once. :P (sorry for the off-topicness, and I don't have any potatoes. :/)
  • The dinosaurs lived their lives to da fullest #turndownforwhat #swag #420blazeit
  • Thanks Al Gihuni
  • You're welcome!
  • Yup, good looking out!
  • By viewing this comment, you agree to share your location and appointments* with all members of this forum ⬜yes? ⬛no? . . . . . . .
    . . .
    . . .
    . . .
    . . .
    . . .
    . . .
    *and photos :P
  • Third!
  • Take away the "H" :P
  • Tird ?
  • Omg
  • And mine!
  • Yay, you're back! Anyways, great article!
  • Wait so apps with "access to photo library" can actually upload your private photos to the app developer if he would like to do that ?
    I though this access was for uploading through user action or saving images through the app only !
  • You hope they only upload with your action, but yes they could upload all as soon as you open it
  • And i thought WP was "safe"...
    Does it really work that way ?
  • Safe? It's safer since there aren't as many permissions apps can ask for compared to Android and developers have less opportunities to do stupid things that can impact your privacy or the stability and performance of your device. But if you grant an app access to something it can ask for it will of course get access. As always, apply some common sense before installing apps.
  • I hope NSA didn't saw my selfies with aliens :(...
  • Worse, They had seen your "School" album.
  • Thanks Rafael and Danel. I'm happy this one finally worked. I've contacted them in the past privately, but they didn't hear me. This is a good end for the story
  • I imagine that if they had for example taken all of my 1020's albums at once, that my phone would have shown at least a bit of lag??
  • Its very annoying when apps needs absurd requirements. There are for example simple flashlight apps that needs all the requirements they can access from you. For that reason i stick to official apps from well known devs and only the necessary apps. Some of us concern about our privacy.
  • I agree with ya
  • You'll find most of the time its because a heap are enabled by default and the dev doesn't disable them
  • +1520
  • Wow, freaky.
  • Al Gihuni, thanks for revealing the flaw, i will support your apps..
  • They don't get open access to the gallery tho do they? Aren't images selected through the image picker and the api's?
  • I too want to know that in detail now...
  • Thank you Gehuni for helping WP safety :) !!!
  • Great to have developer to care about Store's security!
  • Whenever i review any app, it takes my input but it never appears in the store. Anybody else facing this. Is this also a bug
  • This article is just a big big big big bullshit! The underlying issue has NOT been addressed, its just know MS has made some cosmetic change so they can wash their hands when somedy wants to sue them due to leaked personal photos. Let me ask all readers: if you realized that an app can access all your photo gallery, all your private sms (including online banking passwords / your bank account balance), all your contacts, all your media list etc. WTF can you do against it? Not install that particular app? Really? Illusion of choice my friends, just illusion. As all the official apps (Skype, Facebook etc.) have access to all content stored on your phone. And you grant this access happily and voluentarily. Because its so well hidden on the application page. Location access is 1 thing, thats properly emphasized for every app download. But what about the other 10-20 access permissions? Those disgusting lawyers were paid a sh*tload of money, to carefully obfuscate the jargon text into those Terms&conditions pages, as a result MS (Apple, Google, and all their friends) can wash their hands. Honestly, can you find out from that lawyer-written Terms&Conditions document, whether the app developer is allowed fetch all your photo via his app in complete secret, or by law you have to be notified for this stealth activity? You see, you cannot find out, no matter how many times you read that stupid text. So can you really do the educated choice, even if you consider yourself well prepared and read that text? Of course not. Illusion of the choice. All the stupid (=average) smartphone user should be educated, that there is no such free software on the smartphone. If you download that stupid free game, I bet it will ask for your: location, contacts, owner info, pictures, media library, etc. Would you voluntarily share your photos with a random person walking on the street? Because thats what happens in the background (surely, cleverly hidden from your eyes in the background on your phone , good job, everybody can thank this to the smartphone vendors for this!).
  • Whoa, whoa! Slow down, tiger! You bring up good points, but bury them in the tldr. Also, only a dumbass would send financial passwords via SMS. I've always had to configure mobile banking either through my bank's app, or a secure web page.
  • You obviously havent heard about netbanking 2-factor authentication via One-time-password sent in SMS.
  • Thought only android had flaws. Posted via the WPC App for Android!