Microsoft has tightened the security requirements for apps available on its online stores, while providing plenty of wiggle room to avoid alienating much-needed developers.
The policy introduced Tuesday places the responsibility of fixing vulnerabilities on developers, who face having their apps yanked for non-compliance. The new rules are effective immediately on the Windows Store, Windows Phone Store, Office Store and Azure Marketplace.
The requirements are unlikely to scare away the majority of developers. Microsoft is giving them a maximum of 180 days from the time a vulnerability is confirmed to submit an updated app.
The timeline applies to vulnerabilities that are rated critical or important, but are not under attack. The ratings will be based on the s ystem outlined in the Microsoft Security Response Center.Ã'Â
While Microsoft has the right to pull apps from its stores, it is unlikely to do so very often under the generous timeline. To date, no developers have taken that long to fix a security problem, says Microsoft.
In cases where developers run into trouble, Microsoft is willing to make exceptions, such as when a vulnerability affects multiple developers or is architectural in nature. Microsoft will also consider making exceptions when developers are legally prohibited from updating an app.
Jack Gold, an analyst with J. Gold Associates, believes giving developers six months to fix an app is excessive. In addition to shortening the timeline, Gold wants Microsoft to publish a list of all apps with known vulnerabilities that store customers could see before downloading anything.
"That would put huge pressure on the app developers to respond quickly and get anything needing fixing done right," Gold said. "But that's unlikely to happen as Microsoft would prefer not to tick off its developer community."
Missing from the policy is what is required when an app has a serious vulnerability that cybercriminals are exploiting with malware. There is no timeline for fixes and no threats of having the app pulled immediately, which would protect store customers.
Microsoft declined an interview request, but sent a statement implying it can pull an app at anytime. "This new policy allows us [to] take swift action in all cases, which may include immediate removal of the app from the store, and we'll exercise its discretion on a case-by-case basis," said the statement, which was attributed to Dustin Childs, group manager of Microsoft Trustworthy Computing.
Microsoft competes with Apple and Google for mobile app developers. The company has roughly 150,000 apps in its Windows Phone Store, compared with 900,000 for Apple and a number close to that for Google.Ã'Â
A draconian policy that scares away developers would not help Microsoft close the gap. Taken as a whole, the new policy is unlikely to change much for developers, other than giving them and their lawyers a clear understanding of what Microsoft expects and what it can do.
"This codifies it in a way," said John Jackson, an analyst for IDC. "At some level, I'm sure there's some legal indemnification motivation behind it."
Store customers who discover a vulnerability and can't get the developer to address it can request assistance directly from Microsoft by sending an email to firstname.lastname@example.org.
Read more about application security in CSOonline's Application Security section.