With the October 2018 update, Microsoft announced a patch for a bug in its Windows 10 operating system. The flaw could enable Microsoft Store apps access file system permission to access users’ files without their consent.
Universal Windows Platform
Universal Windows Platform (UWP) was introduced by Microsoft together with Windows 10. This platform was created to help develop universal apps to run any device running Windows 10, such as desktop PC, IoT devices, Xbox, Surface Hub, and Mixed-reality headset.
The UWP applications are capable of accessing certain API files, such as photos and music, as well as devices including camera and microphone. All they need to do is to declare required permissions in their package manifest file. In addition, by default, these apps are able to access directories, local, roaming and temporary folders.
It is worth to mention that in order to access other files on a device, such as sensitive data and resources, Microsoft provides apps with capabilities that can be used by declaring the permission in the configuration.
Such capability, broadFileSystemAccess which is also known as Broad Filesystem Access enables apps to access the file system at the level as the user who opened it.
On first use, the system will prompt the user to allow access. Access is configurable in Settings > Privacy > File system. If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it.
Windows app developer Sebastien Lachance notes that earlier Windows 10 versions failed to prompt users asking for permissions to access the file system because of the flaw, which left users’ data accessible to UWP apps. It could be also said that the apps could be used to access all users’ files without users consent.
The bug was first released when one of Lachance’s app which uses broadFileSystemAccess permission started crashing, once the developer updated its Windows to the latest Windows 10 version.
Lachance was told by a Microsoft engineer that the latest version of Windows 10 was addressed the prompt issue by shutting off the broadFileSystemAccess by default. As a result, all UWP applications have to be upgraded if they want to prevent crashes.
Prevent your apps from crashing
Windows apps developers are advised to include a simple line of code in order to prevent crashes in their affected software. The line is able to force Windows 10 users to accept the new file access permission before opening the app.