Windows 10 introduced the brand new way of enjoying apps by introducing the UWP apps – Universal Windows Platform apps. These apps would run on any Windows device without performing any modification in the code.
There’s been a new bug discovered in the way Windows implements UWP apps. Using this bug, the UWP apps have access to the entire file system in Windows, without asking the permission of the user! This action would allow any malicious app to store any data without the consent of the user.
How UWP apps access the file system
By default, the UWP apps have access to “<user_profile>/AppData/Local”, “<user_profile>/AppData/Roaming” and the “Temp” folder. If the app requires access to any file that’s outside of these locations, the developer can declare extra permission for the app.
The extra permission declaration(s) is declared in the app’s package manifest file. Using the declaration, the app can access other folders like “Documents”, “Pictures”, “Music” etc. folders. Here’s an example of the declaration of an extra permission to the folder “Pictures”.
At the description of the app, Microsoft Store shows the extra permissions.
Here’s a screenshot of the “AppxManifest” file of the “Sticky Notes” declaring the “broadFileSystemAccess” permission.
According to the official documentation, “broadFileSystemAccess” allows access to all the files that user can access, for example, “Documents”, “Downloads”, “Desktop” etc. The official document also notes that on the first use, the system would prompt the user for allowing the access. If a dev submits an app in the Store with the declaration, there has to be a detailed description of why the permission is necessary.
This means, when you use such app that uses this permission, you’ll be asked about whether allowing the permission.
Controlling the permissions
There’s still a way that you can manage what permissions your app gets. Go to Settings >> Privacy >> File System.
You can disable the option so that no app can access your file system. There are other options for “Documents”, “Pictures” and “Videos” as well.
Above all, make sure that the app you’re installing is from a trustworthy source so that you don’t have to face any security issue in the upcoming future.