Does The New Windows App Security Policy Go Far Enough?

Microsoft has announced a new policy designed to ensure that apps running on Windows and Windows Phone are regularly updated to ensure security risks are eliminated. It’s a sensible idea, but should the rules actually be even stricter?

The changes were announced in a blog post following the release of this week’s round of Patch Tuesday updates. As group manager Dustin Childs explained:

Starting today, developers will be required to submit an updated app within 180 days of being notified of a Critical or Important severity security issue.

Those changes apply across Windows 8, Windows Phone, Azure and Office Apps. Apps which aren’t updated are likely to be removed. Windows 8.1 installs app updates automatically rather than requiring users to select them, so potential issues should be fixed quickly — provided a patch is made available.

I’m not questioning the logic of the policy, but I am questioning the time period. Yes, fixing apps takes time, but six months to fix a security issue? That seems way too long. Oddly, Microsoft goes out of its way to suggest it might not be long enough:

We also realize there may be rare cases where a developer needs more than 180 days. Should that occur – it hasn’t so far – we’ll work with the developer to get an updated app replacement as soon as possible.

The change is part of what seems to be a push to promote Windows Phone more heavily for business use. Microsoft is planning to release an “enterprise feature pack” offering better encryption and security options, though that won’t appear until early 2014.

To encourage corporate adoption, Microsoft is also doubling the support lifecycle for Windows Phone devices, extending the guaranteed support period from 18 months to 36 months. That’s a sensible move (especially given the speed with which Windows Phone 7 was abandoned), but that lengthy lifespan also makes the 180-day window for other app updates look too lenient.

A new policy for store apps and the July 2013 security updates [Microsoft Security Response Center]