Microsoft’s John Hazen has posted on the official Building Windows 8 blog about the security and reliability principles in the Metro platform in Windows 8. Hazen explains how apps are installed from the Windows store, use contracts to interact with the operating system, and have to ask user consent for access to device capabilities such as the webcam or GPS, or to access user data such as documents and music.
The most intriguing part of the document comes when Hazen appeals to developers to stick to the API that is referenced in the official Windows 8 Metro SDK:
Resist the temptation to find ways to invoke APIs that are not included in the SDK. This ultimately undermines the expectations that customers have for your app. APIs that are outside the SDK are not guaranteed to work with Metro style apps either in this release or in future releases, so you may find that your app doesn’t function properly for all customers. These APIs may also not function properly in the async environment that is foundational to Metro style app design. Finally these APIs may undermine customer confidence by accessing resources or data that Metro style apps would not normally interact with. For all these reasons, we have provided checks in the Windows App Certification Kit to help you catch places where you might have inadvertently called interfaces not exposed by the SDK.
While it is possible to hide or obfuscate calls to APIs that are not included in the SDK, this is still a violation of customer expectations and Store policy. In the end, we have created this platform to help developers like you to build amazing apps that work well with the system and with other apps and devices to delight customers. Working with the Metro style SDK is fundamental to your realizing that goal.
The worrying aspect of this appeal to developers to play nice is Hazen’s admission that crafty developers may find ways to escape the Metro sandbox, undermining both the security and the privacy protection built into Metro. The main protection against this is such such an app should be blocked from the Windows Store, but can Microsoft check with 100% confidence that no hidden or obfuscated API calls exist? How effective is the Metro sandbox?
My guess is that the danger will be greater on the x86 version of Windows 8 than in Windows RT, which is locked down to prevent any third-party desktop applications from being installed. Nevertheless, a large part of the non-Metro Windows API must exist in Windows RT, to support the desktop, Explorer and Microsoft Office.