Windows 10 Bug Allowed UWP Apps Full Access to User’s Files

A bug in Windows 10 which was keeping users from being informed when apps requested permission to access users’ data has been taken care of by Microsoft in its on-hold Windows 10 October 2018 Update.

The bug could have given a malicious developer of Universal Windows Platform (UWP) apps access to all of the data including the files stored in OneDrive without the consent of the owner.

In terms of access, by default, UWP apps are restricted to files and folders located in the installation directory of apps and their data storage locations in AppDataLocal, AppDataRoaming, and the Temp folder. However, the developer can request extra permissions for accessing locations other than these.

As illustrated in the Microsoft developer documentation for the broadFileSystemAccess permission, “This is a restricted capability. On first use, the system will prompt the user to allow access,” It further says, “Access is configurable in Settings > Privacy > File system. If you submit an app to the Store that declares this capability, you will need to submit an app to the Store that declares this capability; you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it.”

It implies that when a developer adds this permission and uses an app for the first time with this permission, a settings screen will supposedly be displayed in Windows 10 where this permission (hence the access) can be enabled and it is configurable in settings as follows:

Settings > Privacy > File system 
The bug was discovered by Lechance in the wake of the creation of an app that required broadFileSystemAccess permission for accessing data in a hard coded “C:myAppData” location. The app is reported to be crashing after upgrading. (October 2018 Update)

Until version 1809, the permission prompt i.e., to first reach settings to enable file system access was not imposed upon the users and the broadFileSystemAccess permission was accessible without giving explicit permission for the apps to have full file system access.  

On the solution front, Lechance advised UWP app developers trigger the below-mentioned command in order to avoid crashes that are likely to occur on the proper enforcement of the permission.

await Windows.System.Launcher.LaunchUriAsync(new Uri(“ms-settings:privacy-broadfilesystemaccess”));

The dark clouds of questioning and accountability are looming large over the developers who publish their app to the Microsoft store and use the broadFileSystemAccess. They are expected to come up with the causes leading to this permit requirement.

Leave a Reply