Windows 8 Metro Apps Need to Be Secure by Design

Having looked at various parts of Windows 8 over the past few weeks we have seen that Windows 8 is going to be significantly different, creating a paradigm shift for users and a more secure operating system. In those blogs we explored how various changes have implications for users, developers, and IT managers. In this final installment we will look at how developers are affected by Windows 8 and the security implications for developers for this new platform.

Windows Runtime (WinRT)
With Windows 8 and Metro, Microsoft introduces a new API: the Windows Runtime. WinRT is designed for use with JavaScript, Visual Basic, C#, and C++.

The Windows Runtime looks and feels like the Component Object Model (COM) and provides a subset of COM APIs for Metro applications. As with COM, multiple development environments can be built on top of the APIs to suit the developer market. WinRT is not tied to a specific language. Currently developers can use these:

  • HTML/CSS3/JavaScript
  • XAML with code-behind in C++, C#, or Visual Basic
  • Native C++

Current Windows APIs are also accessible to WinRT applications such as CreateFile2, but they behave differently and restrictively when called from Metro-style applications. For example, a Metro application can use this API only to open files and folders it has access to. WinRT also provides APIs for data, social content exchange between applications, device access, graphics, security, user interaction, and other functions. These restrictions are in place to isolate the applications and provide better security.

These aspects of WinRT are improvements because user security is built into the API, and the applications will need to adhere to these to execute in the Metro environment.

Metro Apps
Metro applications, like all other apps installed on the system, share physical storage and memory hardware with other applications. However, not all applications are allowed equal access by the user to system resources. This is enforced within the WinRT/Metro environment and prevents critical data and information from being leaked across application boundaries. This feature can easily lead to a false sense of security that any stored data within the application is “secured” from access by anyone except the application itself. This information might be data stored on persistent storage areas or in memory structures.

All applications attempting to access/store/communicate information should follow secure development practices and insure that any user data/credential/private information is not kept in plaintext. WinRT provides a set of security APIs to help applications secure communications and data:

  • Windows.Security.Authentication.OnlineId
  • Windows.Security.Authentication.Web
  • Windows.Security.Credentials
  • Windows.Security.Credentials.UI
  • Windows.Security.Cryptography
  • Windows.Security.Cryptography.Certificates
  • Windows.Security.Cryptography.Core
  • Windows.Security.Cryptography.DataProtection
  • Windows.Security.ExchangeActiveSyncProvisioning

Application Deployment
Application deployment for desktop applications has not changed significantly with Windows 8, thought certification requirements for desktop apps has become mandatory if an application has to be referenced from the Windows Store.

Deploying Metro apps, on the other hand, has been restricted to ensure that the Metro ecosystem is more secure for users. There are ways to side-load applications for enterprise customers but these are severely controlled via certification chains and special product keys. For nonenterprise customers the way to side-load Metro apps is to install a developer license via a Microsoft account.

Securing the Apps
As Windows has become more secure, attackers have targeted ubiquitous applications such as Adobe Reader and Flash player, as well as the Java runtime. This experience has made it clear that applications can be exploited by malware writers for their large user base and for the secure data that they might have access to. Windows 8 provides a great improvement over prior versions of the operating system in making the APIs and tools available for desktop and Metro apps. For application developers, especially those dealing with user data, it is essential to guard against security problems early in the development cycle.

The key point is that applications themselves are vulnerable to attacks and could become as costly as vulnerabilities in the OS. As we have seen in previous posts, malware could attack Metro applications. Developers need to be well aware of Windows’ security limitations when building any application.

Even with the improvements to Windows 8, enterprises should use security software to control which applications are allowed on corporate assets and to minimize the attack surface.