Microsoft's new app security rules dubbed a paper tiger

Microsoft has tightened the security requirements for apps available on its online stores, while providing plenty of wiggle room to avoid alienating much-needed developers.

The policy introduced Tuesday places the responsibility of fixing vulnerabilities on developers, who face having their apps yanked for non-compliance. The new rules are effective immediately on the Windows Store, Windows Phone Store, Office Store and Azure Marketplace.

The requirements are unlikely to scare away the majority of developers. Microsoft is giving them a maximum of 180 days from the time a vulnerability is confirmed to submit an updated app.

The timeline applies to vulnerabilities that are rated critical or important, but are not under attack. The ratings will be based on the s ystem outlined in the Microsoft Security Response Center.Ã'Â

While Microsoft has the right to pull apps from its stores, it is unlikely to do so very often under the generous timeline. To date, no developers have taken that long to fix a security problem, says Microsoft.

In cases where developers run into trouble, Microsoft is willing to make exceptions, such as when a vulnerability affects multiple developers or is architectural in nature. Microsoft will also consider making exceptions when developers are legally prohibited from updating an app.

Jack Gold, an analyst with J. Gold Associates, believes giving developers six months to fix an app is excessive. In addition to shortening the timeline, Gold wants Microsoft to publish a list of all apps with known vulnerabilities that store customers could see before downloading anything.

"That would put huge pressure on the app developers to respond quickly and get anything needing fixing done right," Gold said. "But that's unlikely to happen as Microsoft would prefer not to tick off its developer community."

[Also see:Ã'Â Despite new malware scanning, Chrome Web Store security still falls short]

Missing from the policy is what is required when an app has a serious vulnerability that cybercriminals are exploiting with malware. There is no timeline for fixes and no threats of having the app pulled immediately, which would protect store customers.

Microsoft declined an interview request, but sent a statement implying it can pull an app at anytime. "This new policy allows us [to] take swift action in all cases, which may include immediate removal of the app from the store, and we'll exercise its discretion on a case-by-case basis," said the statement, which was attributed to Dustin Childs, group manager of Microsoft Trustworthy Computing.

Microsoft competes with Apple and Google for mobile app developers. The company has roughly 150,000 apps in its Windows Phone Store, compared with 900,000 for Apple and a number close to that for Google.Ã'Â

A draconian policy that scares away developers would not help Microsoft close the gap. Taken as a whole, the new policy is unlikely to change much for developers, other than giving them and their lawyers a clear understanding of what Microsoft expects and what it can do.

"This codifies it in a way," said John Jackson, an analyst for IDC. "At some level, I'm sure there's some legal indemnification motivation behind it."

Store customers who discover a vulnerability and can't get the developer to address it can request assistance directly from Microsoft by sending an email to

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftsecurityData Protection | Application SecurityAccess control and authenticationsoftwaredata protectionMicrosoft Store

More about AppleGoogleIDC AustraliaMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts