"While it is possible to hide or obfuscate calls to APIs that are not included in the SDK, this is still a violation of customer expectations and Store policy."
Wait, does the platform not include a sandbox to make sure this doesn't happen? What "security" can you expect to get out of such a platform?
The problem likely is that part of the public API is in DLLS that use a private API to talk to the system. For example, public class AddressBook extends AddressBookBase, with 'Base' having a couple of private fields that may come in handy.
Third parties could figure out that private API and call it themselves.
I do not think it is practical to defend the system against thos. Moving that base class into the kernel takes performance and includes its own security risks. Shipping multiple versions of the OS with different layouts or even implementations for such subclasses might help a bit, but also would open the system for bugs that show up on only 1/N of the machines.
The sandbox (AppContainer) and the SDK API restrictions are two separate things. Capabilities and isolation are enforced by the AppContainer, not the set of available APIs. AppContainer is actually a general system feature that can be used by desktop apps too to sandbox plugins and such (IE10 uses it in "Enhanced Protected Mode").
You don't need a virtual machine to sandbox C++; or rather, there's already a virtual machine in action, in the form of virtual memory and CPU privilege levels. The only way C++ (or any other native language) has to access to the outside its world is through calls to the kernel. Without direct file I/O APIs, options are even more limited (e.g. you can't easily write your own DLL loader).
OS X/iOS use a 'sandbox' driver that utilizes TrustedBSD MAC infrastructure ( https://developer.apple.com/library/mac/#documentation/Darwi... ).
Basically, most system calls can be verified against one or more policy modules, and blocked if non-compliant.
Not really possible with Windows and its bajillion of syscalls (1000 in win32k alone afair)
It may be C++ but it is managed C++ that runs on the above the WinRT layer just like C#, and Javascript for metro. It will have the same restrictions as the other languages. It is actually interesting, in fact when you start a metro project at least in beta, you get the WinRT libraries and that's it. A ton of the traditional .NET classes have been moved into the WinRT library or removed all together.
Yes, this is exactly the same (or at least awfully similar). iOS has some APIs that are technically available to 3rd parties, but disallowed by the terms of service. It was news in 2008 when Google Mobile violated the guidelines to access some useful features.
There are a lot of claims made here with regards to how end-users will effectively like to download and try apps from the metro store and take the time to write a good reasoned review about their experience.
Given the average response i've heard from end-users however, i somewhat doubt this. Most people i've talked to simply hate metro. Looking at other app stores, most reviews i've seen are low quality and emotionally driven.
One upside of this is that it looks like they're really pushing the one-click installs. It isn't apt or yum, but it's certainly better than what Windows has now..
How? Windows installation has been fine for a decade and a half. Actually, it's going BACKWARD, with vendors now not bothering to ask you WHERE you want application links stored and instead littering your machine's program menu with endless directories named after themselves. Who the hell organizes their applications by vendor? I want my graphics apps together, my audio apps in another group, general office-type apps in another.
With every release, Windows has made this basic function (organizing applications) a bigger pain in the ass. If Microsoft is going to start enforcing policies, then this should be one: No application can simply barf a bunch of crap into your Start menu without ASKING where you want it to go.
Windows installation has been not fine by any stretch of imagination. It still has the same problems:
1) It is third party service, not provided by system (yes, I know about Microsoft Installer); it is up to the application vendors what they will use,
2) Installers can litter in the system, wherever they want (see your complaint about Start menu),
3) No 100% working uninstallation and/or repair, you will end-up with installers damaging your system and having to reinstall (even Microsoft ones; how the heck do I get rid of CJK IMEs, that Proofing Tools for Office 2010 "helpfully" installed?),
4) No update service, you end up with many updaters slowing down your system,
5) and many more.
If you think, that Windows installation is fine - have you ever seen install systems on other OSes?
Yes, extensively Mac OS. Now you want to talk about a turd, that is it.
PackageMaker is abandonware and an absolute fiasco. I don't even know where to begin documenting how this "product" fails at its primary task so utterly. Have you ever tried building an installer with it? Even Apple products tried to avoid it; Final Cut Studio, for example.
When the Mac installer does anything, it's just as capable of littering your system with crap.
And the Mac uninstaller doesn't leave turds behind, because it doesn't exist. You just have unknown crap all over your system.
Then there was the total lack of any way to install a single printer driver from Apple's collection until (IIRC) SnowLeopard. You got to install half a gig of drivers for every Epson printer ever made, just to support your one printer.
It has been quite a while since I've had a Windows uninstaller break my system. Do a lot of them leave turds? Yep. But at least they remove the bulk of the payload.
Whoa there, read more carefully. It seems that if you use the built-in FilePicker then your app can use any file on the system, provided that the OS is sure that the user has actively given you access to it. Also, there appear to be ways to obtain permissions beyond the default level.
Wait, does the platform not include a sandbox to make sure this doesn't happen? What "security" can you expect to get out of such a platform?