How Secure Are Windows Store Apps?
Can Microsoft's sandbox protect applications from the attacks of yesterday?
Windows is going for a whole new approach when it comes to pushing security updates to its built-in apps for Windows 8 and Windows RT. Well, not exactly a whole new approach, but a different approach (for Microsoft).
Just like the Windows Store app system, Microsoft is once again mimicking the mobile platform by pushing through security updates for its built-in apps (Bing, SkyDrive, News, Video, Mail, etc.) as soon as they're ready -- something iOS and Android users have been used to.
This is a change in strategy for Microsoft, which, unless dealing with an imminent threat with an out-of-band patch, would wait to release all security updates on the second Tuesday of the month.
It's interesting to note, though, that those apps that share both a Desktop and Windows Store app entity will only be addressed in Microsoft's monthly patch rollout.
You can read more about the new update process, along with the inaugural security update, a "moderate" fix for the Mail app, in Kurt Mackie's news article here.
Speaking more generally on the security benefits of the Windows Store app system, there's no question that Microsoft is looking to replicate the success Apple has shown with its app store. And security firm Viewfinity's CEO Leonid Shtilman, said this is just the next step in Microsoft's dedication to making a more secure OS.
"With Windows 7 and especially Windows 8 Microsoft made several significant steps towards creating a more secure computing environment. I would especially emphasize the introduction of an application store as the sole source of new applications," said Leonid during a recent interview. "This approach will eventually solve the problem of new executables introduced to the system and secure some of the security vulnerabilities we see emerging in the interfaces between operating systems, like Windows, and the applications that run on them. This solution has been especially prevalent in mobile technology and seems to be gradually growing in popularity in the desktop space as well."
And the security strength (or eventual weakness) of Microsoft's app model lies in its sandbox. Security expert Bill Sempf, who recently presented "Hardening your Windows 8 apps for the Windows Store" in March's Black Hat Europe 2013, agrees, saying because of Microsoft's Windows 8 sandbox, "most Windows Store app security testing will focus on the backend services, and flaws in the business logic of the application."
However, no matter how hard Microsoft has pushed the strength of its sandbox environment, no system is 100 percent protected from attacks. With higher adoption rate of Microsoft's newest OS, we'll start to see hackers turning their skills towards breaking it. And once that happens, I think we will get our first look at how secure Windows Store apps really are.
What do you think? If using Windows 8, have you noticed an increased level of application security compared to earlier versions of the OS? And do you prefer the practice of pushing security updates through as soon as they are ready? Let me know at firstname.lastname@example.org.