The new-look Microsoft Store app marketplace, set to be a key part of Windows 11, has raised security concerns over perceived limitations.
During the launch of Windows 11 Microsoft highlighted how its new store will be open to a much wider range of third-party applications built on a larger selection of frameworks, including Win32, .Net, UWP, Java and more.
However, the store’s terms and conditions reveal that the update process will differ slightly depending on application type. Namely, users of software “packaged as a Win32 app” will not receive updates from the Microsoft Store directly, but will be responsible for installing patches manually via the application itself.
Beyond the inconsistent user experience, commentators have suggested this quirk will allow updates to circumvent Microsoft’s checks and balances, which are designed to ensure only legitimate applications are distributed via the store. Previously, Microsoft had claimed all applications hosted on the store will be “tested for security, family safety and device compatibility”.
Microsoft Store on Windows 11
When Microsoft announced it would deliver a much-needed upgrade to its official app marketplace, the greatest emphasis was placed on the visual overhaul, which will bring the store in line with the Windows 11 aesthetic.
The introduction of Android applications to Microsoft Store also drew headlines. With Windows 11, users will be able to run Android apps directly from their desktop, albeit only those hosted on Amazon’s app store.
However, it appears closer attention is now being paid to the inner workings of the marketplace and how this might affect the end user.
On Twitter, Microsoft developer Scott Hanselman called criticism of the app store’s update process “misleading”. “Apps can use MSIX and update. It says on each app page if it updates itself or if the store does. It’s pretty clear,” he noted.
Here, he refers to the fact that Win32 apps can be packaged as MSIX (a Windows app package format) in order to receive automatic updates via the Microsoft Store. MSIX can be considered an evolution of MSI, an older package format that will not be compatible with auto updates.
However, as another Twitter user points out, MSIX is currently only used by a minority of applications. The Register, meanwhile, suggested it is impractical to ask users to understand the difference between MSIX and MSI.
Microsoft has not yet responded to our request for an official response to the security concerns and clarification over whether the company will seek to create consistency in the update process across all app types.