Windows Phone and the battle against fake apps

Windows Phone is popular enough for makers of fake apps to target it, but shouldn't it be harder for them to make it into the store?
Written by Mary Branscombe, Contributor

The desire to get more apps into the Windows Phone app store is understandable, but should Microsoft be working harder when it comes to checking the apps that are submitted? How can it keep both the bar and the numbers high?

For example, last week a Kaspersky anti-virus app for Windows Phone showed up in the Windows Phone Store; curious for a platform that Microsoft is touting as extremely secure. It's hard to think what an anti-virus app could do on a phone OS that's so sandboxed that it wouldn't have access to scan any of the other apps on the device or their files. Even worse, it wasn't really from Kaspersky at all; Kaspersky Mobile, which cost 149 roubles in the Russian store, was a fake that did nothing but display a couple of progress bars.

It's not the only fake I've spotted in there; other apps have included fake Google apps and even an Internet Explorer app. Think about it for a minute: even leaving out the fake security software, the certification process for the Windows Phone Store approved an app calling itself Internet Explorer and using the IE logo. Presumably, the certification team know that's a Microsoft product; they ought to at least recognise the logo. And as they work on the Windows Phone Store, they should know that IE already comes with Windows Phone. So how did that make it through certification?

There's a similar issue with some poorly-scanned ebooks in the Windows Phone Store (curiously, the ebooks also wants access to your phone identity, owner identity, photo, music, and video libraries, data services, phone dialler, movement and directional sensor as well as the browser, which seems a lot when all you're doing is reading a book).

If you click the link to report the app, you can't pick piracy or copyright as a reason (which you can do in the Windows Store, where Microsoft no longer requires you to be the copyright owner — so you can report the apparently pirated books in there), just things like poor performance or that the app is misleading.

There are difficulties with policing piracy and copyright violations in app stores. If you undertake to do that and miss some, those IP owners can complain. It would also be a lot of work for Microsoft to check every app that mentions a trademark or copyright title with the owner of the trademark or copyright — and until Windows Phone has a bigger share of the market, copyright owners and agencies that represent them probably aren't spending much time on it.

Still, Microsoft is fighting back. At the Build conference Todd Brix, the general manager in charge of apps and stores for Microsoft, talked about making certification for Windows Phone apps faster by using automation for testing: "Instead of taking several days an app can take as little as two to four hours in certification," he said.

Is that long enough to weed out the bad apps, I asked him. Automation could actually help with that, he said.

"We have benefit of knowledge and human augmented machine based learning on testing processes honed over the last three years. We know what type of apps to look for, what developers will build what apps using what combination of APIs. We know what time of day things happen that may be less good," he pointed out.

Just as malware authors used to release viruses early on a Saturday morning to have the most impact over the weekend, scammers and hackers targeting an app store might try to catch the testing team off guard late on a Friday afternoon, for example.

He didn't expect the team to catch every problem app. "We will never be 100 percent guaranteed that nothing bad will ever escape. We reserve the right to make mistakes but when those things happen we will learn from them and apply new rules and triggers and test cases to track them. We are by no means perfect in certification but we will have more and more faster and robust mechanisms for taking remediation when things do get through."

Further reading

Editorial standards