Windows 10 Bug Let UWP Apps Access All Files Without Permission
Many developers want access to as much data as possible. This is part of the reason why so many apps request permission to access seemingly everything one could have on their device (with the other part being developers' need to sell ads). But what happens when the apps don't ask permission? According to .NET developer Sébastien Lachance, this is what happened with versions of Windows 10 released prior to the yet-to-be-relaunched Windows 10 October 2018 Update.
The developer noticed that his enterprise app stopped working after Microsoft released version 1809 of Windows 10. It turns out that's because the app required access to specific folders, and this was the first version of Windows 10 that didn't grant that access by default.
Universal Windows Platform (UWP) apps are supposed to be restricted to specific folders. They can request access to other folders, though, if they need to do so to function. This alone isn't a problem. Everything from iOS and Google Chrome to macOS and Android lets apps ask for greater permissions. Yet, a problem with the broadFileSystemAccess API that governed this process meant people weren't actually prompted by the apps.
Instead, the API simply gave developers access to all local files without letting the affected Windows 10 user know. Lachance said a list of apps with access to these files can be found by going to Settings > Privacy > File system, but most people are unlikely to go digging through their settings when their information is supposed to be secure by default. The Windows 10 October 2018 Update is said to have addressed that problem.
This breaks apps that relied on this API, like the one that prompted Lachance to investigate this issue, but it defends the privacy of many Windows 10 users whose information may have been up for grabs without their knowledge or consent. After the many problems the Windows 10 October 2018 Update has suffered—mainly revolving around two file system bugs—it's heartening to see that it contains some improvements as well.
But this is still more evidence that companies have struggled to manage distribution platforms that are supposed to keep people safe. From the bad apps in the Mac App Store and Google Play Store, to these problems with the broadFileSystemAccess API affecting UWP apps distributed via the Microsoft Store, it's clear that many platforms are not as trustworthy as they're supposed to be.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
Good thing I am not stupid enough to run any UWP apps on my PC then!
And what alternative is there? Win32 apps? They've had access to the entire filesystem since forever. -
DrakeFS 21442441 said:Good thing I am not stupid enough to run any UWP apps on my PC then!
And what alternative is there? Win32 apps? They've had access to the entire filesystem since forever.
Only if they are ran as admin, which the user has to consent to. The privacy part, access to that specific user's files, every win32 app has access to. The issue with the UWP apps, is that they had access when the user would think they did not have access. A little more dangerous in my book.
-
@DrakefsReply
That's only since UAC, introduced with Vista. It's one of Vista's most hated features, to the point where even Tom's Hardware listed it as one of the "10 Windows 10 Settings You Should Change Right Away" (https://www.tomshardware.com/picturestory/853-windows-10-settings-you-should-change.html#s11). They may have removed UAC from that list, but not before plenty of people criticizing them for recommending making their PCs vulnerable.
So is it a problem that UWP apps can access files without asking for permission? Yes, it sure is.
Do people care? A shockingly lot of them apparently don't.