Skip to main content

Windows 11 app store may create security issues

Windows 11
(Image credit: Microsoft)

Alarm bells are beginning to be raised over perceived limitations of the new-look Microsoft Store, which was unveiled last month at the Windows 11 launch.

During the event, Microsoft celebrated the fact its new store will be open to a much wider range of third-party applications built on a larger selection of frameworks, including Win32, .Net, UWP, Java and more.

However, the store’s terms and conditions reveal that the update process will differ slightly depending on application type. Namely, users of software “packaged as a Win32 app” will not receive updates from the Microsoft Store directly, but will be responsible for installing patches manually via the application itself.

Beyond the inconsistent user experience, commentators have suggested this quirk will allow updates to circumvent Microsoft’s checks and balances, which are designed to ensure only legitimate applications are distributed via the store. Previously, Microsoft had claimed all applications hosted on the store will be “tested for security, family safety and device compatibility”.

Microsoft Store on Windows 11

When Microsoft announced it would deliver a much-needed upgrade to its official app marketplace, the greatest emphasis was placed on the visual overhaul, which will bring the store in line with the Windows 11 aesthetic.

The introduction of Android applications to Microsoft Store also drew headlines. With Windows 11, users will be able to run Android apps directly from their desktop, albeit only those hosted on Amazon’s app store.

However, it appears closer attention is now being paid to the inner workings of the marketplace and how this might affect the end user.

On Twitter, Microsoft developer Scott Hanselman called criticism of the app store’s update process “misleading”. “Apps can use MSIX and update. It says on each app page if it updates itself or if the store does. It’s pretty clear,” he noted.

Here, he refers to the fact that Win32 apps can be packaged as MSIX (a Windows app package format) in order to receive automatic updates via the Microsoft Store. MSIX can be considered an evolution of MSI, an older package format that will not be compatible with auto updates.

However, as another Twitter user points out, MSIX is currently only used by a minority of applications. The Register, meanwhile, suggested it is impractical to ask users to understand the difference between MSIX and MSI.

Microsoft has not yet responded to our request for an official response to the security concerns and clarification over whether the company will seek to create consistency in the update process across all app types.

Update:
A Microsoft spokesperson has since provided the following statement: 

"Microsoft Store is committed to protecting our customers’ security and privacy. It is a priority for Microsoft to ensure that all our products and services comply with applicable law. We vet developers who publish to the Microsoft Store on Windows 11, and the apps that are installed have undergone security and device compatibility checks.”

Joel Khalili

Joel Khalili is a Staff Writer working across both TechRadar Pro and ITProPortal. He's interested in receiving pitches around cybersecurity, data privacy, cloud, storage, internet infrastructure, mobile, 5G and blockchain.