Windows 10 UWP gave developers unwanted access to all user files

Microsoft has fixed a bug in the currently delayed Windows 10 October 2018 Update. This was in earlier versions of the operating system and gave apps potentially undesirable access to user data. This is a bug in the Universal Windows Platform.

The bug in the Windows broadFileSystemAccess API could give a developer of Universal Windows Platform (UWP) apps access to all documents, photos, downloads and other files of a user on the OneDrive. Previous versions of the software did not tell users when an app was trying to access all of a user’s files.

Apply for permission

The problem was discovered by .NET developer Sébastien Lachance, who built a business app that suddenly stopped working in the 1809 version of Windows October 10, 2018. UWP apps are usually limited to certain file folders, but developers can also request access to other locations, provided that the app obtains the user’s permission.

As can be found in the Microsoft documentation, the broadFileSystemAccess API gives access to all the files a user has access to. Microsoft introduced the feature to the market as a way for developers to make their UWP apps more user-friendly. However, explicit permission had to be given by users.

No prompt

Until version 1809, however, users were not shown a prompt asking them to give their consent. According to Lachance, Microsoft knew about the problem and decided to disable the case by default, so that developers do not have immediate access to the documents.

Users who may be concerned about an app’s access to their files can check this in the settings menu, which also includes information about files under the privacy menu. Developers using the API may see their UWP apps crash when their users update to Windows 10 version 1809.