Win 10: Bug in UWP API enables access to user data/file

[German]There is discussion that a design flaw (a bug) within the Universal Windows Platform API allows UWP app developers to access arbitrary user data. In Windows 10 V1809, Microsoft has tried to mitigate the bug – but then UWP apps crash.


Advertising

The app developer and MVP Sébastien Lachance recently noticed that UWP apps can access the entire file system. I.e. the app is not limited to access to files and folders via a file picker or LocalStorage. Microsoft has described the permitted file system accesses in this document (broadFileSystemAccess API). The documentation also states: "On first use, the system prompts the user to allow access". Microsoft (theoretically) provides security measures for access that intercept unauthorized access attempts. Without user access, a UWP app cannot access files without the user's consent – at least theoretically …

The UWP app doesn't prompt till Windows 10 V1803

When Lachance then implemented a feature for accessing local files in a UWP app, he found that his firmly implemented path "C:\myAppData" did not provoke any demand from Windows as to whether access was permitted. At this point it can be stated that the Microsoft documentation is not correct, but exactly the opposite is claimed. Up to Windows 10 V1803, it would therefore be possible to access the file system and retrieve information using a UWP app without user consence.

Windows 10 V1809 made the UWP app crash

When he then tested the app under Windows 10 V1809, the withdrawn October 2018 update, it suddenly crashed at startup, as he writes here. He then found out that accessing the file in the above path caused the app to crash.

Such a thing is of course deadly for an app developer – he developes an app and after a Windows 10 feature update the UWP app crashes. At first Lachance thought that the manifest of the UWP app had been changed and the crash happened. So he contacted his buddys at Microsoft.

A Tricky solution under Windows 10 V1809

His contacts at Microsoft then confirmed two important information regarding file accesses to UWP apps. 


Advertising

  • The fact that no Windows dialog is displayed the first time a file is accessed is simply a bug. This could already be assumed from the MSDN documentation linked above. 
  • Since this is a data protection problem (file access), Microsoft decided to make a change in Windows 10 October 2018 Update. They set the 'broad access file system' value to OFF.

The first point has the consequence that up to Windows 10 V1803 access to all files without user consense from UWP apps is possible. The second point causes these accesses to start from the privacy settings, but then trigger an app crash.

Dateizugriff in UWP-Apps
(Souce: Lachance)

Lachance writes, that the list of applications that can access the file system can be found in the Windows 10 Settings app under Privacy > File System (see screenshot above). If access to the file system is enabled, you can specify for each app whether it is allowed to access the file system. Developers of UWP apps can use the following API call to force the display of this settings page:

await Windows.System.Launcher.LaunchUriAsync(new Uri("ms-settings:privacy-broadfilesystemaccess"));

Developers can call this method after performing a file system access in a try/catch, and then specify whether they need to call the preference page. Note, however, that switching the value in the Windows preferences will cause the running UWP app to crash. Lachance recommends to warn the user accordingly. Also a solution that seems like 'programming with a sledgehammer'. (via)


Advertising

This entry was posted in issue, Security, Windows. Bookmark the permalink.

2 Responses to Win 10: Bug in UWP API enables access to user data/file

  1. Pingback: Newly discovered data access breach in Win10 UWP (Metro, “Store”) apps @ AskWoody

  2. b says:

    "Update: There has been a bit of misunderstanding on how this works. The broadFileSystemAccess is a restricted capability that an application could be granted, it is not an API. As a developer as well, I have to opt-in to using the capability. Any application in the store with the capability goes through extra verification by the Store team before any user gets it and the user is aware they are granting the application the permission to use the capability as well."
    http://www.dotnetapp.com/?p=438

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).