Windows 8’s application SmartScreen: speed bump for desktop apps

After installing the Windows 8 Consumer Preview, one of the first things I tried was to install and run MetroTwit Loop. To my dismay, my screen darkened. “Windows protected your PC” it read. “Oh good” I thought, that is before I realized it stopped me from running my own application.

I knew I could click “More info” and then “Run anyway”, but most common users are probably going to see this and freak out. After all, “Running this app might put your PC at risk”.

Ironically I should have known this might happen because I first uncovered the existence of “Windows SmartScreen” almost a year ago when the first builds of Windows 8 leaked. Of course it didn’t actually work then so it was hard to say what the impact is. Having seen it in action now, this is quite worrying from the perspective of a desktop app software developer.

Microsoft has been integrating SmartScreen into various products including Windows Live Messenger, Internet Explorer 9 and now Windows 8 to protect users from malicious links, content and now apps.

It all works on “reputation”, which is about as transparent as a brick wall. Microsoft briefly explains it is assigned to unique downloaded files and your digital certificate, but how you gain reputation, how quickly you gain reputation and the current reputation of any app or certificate is unknown.

As I’ve also found, the act of signing your installer & application with a code signing certificate (which costs up to $499 a year from Microsoft’s recommended certificate authority Verisign) doesn’t automatically grant you “enough” reputation either.

In comparison, Apple recently stirred up a bit of controversy for its new “Gatekeeper” feature in OS X Mountain Lion. It too is a new security feature that limits what “non-Store” apps you can run. The difference however is that any registered Apple Developer could get a free Developer ID to sign their apps with and be granted permission. Code signing on Windows 8’s SmartScreen doesn’t seem to have such an (immediate) effect.

Although I understand one day, MetroTwit and our company’s digital certificate might/will earn “enough” reputation for it to be automatically accepted. But until then, it’s not a good feeling your application will prompt such a strong disheartening message to an unknown number of users.

This also raises a chicken-and-egg issue, would lesser known apps ever gain enough users to trust it with such an intimidating roadblock for new users? It’s hard to tell behind the smokescreen that is Windows SmartScreen.

Update: How-to Geek has an article on how to disable Windows 8’s SmartScreen, however the fact is it’s still enabled by default for the common user.

28 insightful thoughts

  1. I guess things will be even worse for developers who can’t afford code signing certificates.

    At least SmartScreen for files in Windows 8 can be disabled (for now), which is more than can be said about SmartScreen in Windows Live Messenger. The deleterious effects of the former are greater, of course.

  2. This is one of those things that sounds nice to most people. “oh, they’re keeping us safe.”

    In reality this is a dangerous path. It will likely hurt the openness of the platform and drive developers away.

    It creates risk and fear for developers and development companies.

  3. I’m wondering if putting your Desktop app “in” the Windows Store (even though that’s just a link) gets you an automatic bump up in reputation. It would be a great way for Microsoft to encourage developers to build the store quickly while helping them over the reputation hump. This of course presumes that they are going to apply any science to Desktop app submissions to the Store. For example, running not just the Microsoft Anti-Malware engine against submissions but the entire suite of tools they use when someone reports a suspicious image to the MMPC. Those tools include techniques that are too slow, or produce too many false positives (that they have to manually check), to include in the Anti-Malware engine itself.

      1. In Windows 9 after you click “More info” there will be “More advanced info” and from there you can run program. ;-)

  4. >As I’ve also found, the act of signing your installer & application with a code signing certificate (which costs up to $499 a year from Microsoft’s recommended certificate authority Verisign) doesn’t automatically grant you “enough” reputation either.

    You can get a much cheaper code signing cert from tucows (from verisign, thawte, comodo etc) @ https://author.tucows.com//

    1. If we’re plugging code signing certificate resellers, I can recommend K Software (http://codesigning.ksoftware.net/) – they resell Comodo certs. I think Tucows’s advertised price is a bit cheaper, but if you contact them they’ll beat it.

      In any case, there’s no reason to buy from Comodo or Verisign directly – they charge a huge premium for exactly the same product.

  5. True. K Software is pretty good as well. In any case, I think code signing is a good practice – the easiest way to authenticate that the software comes from the publisher and hasn’t been tampered with. In this case, MetroTwit will be doing a much needed public service by signing the app – not just the initial downloader.

  6. dude – you only sign the initial installer!!! the installer then downloads metrotwit from the internet, and you don’t sign it metrotwit – the real app.

    your initial installer doesnt get smartscreen block – good for you – propably means your certs got rep. but your unsigned download gets the warning, as it should. i know you’re not a bad guy – but if you decided to download something else from your installer – say some adware ohh say you wann make more $$$$ :) – hee hee – or mebbe slip a lil somethin’ somthin’ in one of yo nightly builds.. :)

    just sign that thang and turn that frown upside down.

  7. (fixing a typo, and a minor edit)

    You sign MetroTwitLoop – and it installs and runs without any smartscreen prompt. No problems.

    You DO NOT sign MetroTwit.exe (http://i.imgur.com/jGdR8.png) – and so the user gets the SmartScreen prompt.

    So, SIGN MetroTwit.exe – you’ve complained about MetroTwit.exe in your post – and that should address the problem.

    1. Yep. Signing EXEs for ClickOnce is not supported by default. I spent about 6 hours last night figuring out a workaround. We implemented this for MetroTwit Loop but still have a SmartScreen prompt.

  8. My bad – you did talk about metrotwitloop at the start of your blog. I do not see a SmartScreen prompt when I install MetroTwitLoop any more.

  9. Neither can SmartScreen download reputation checking be turned off in Internet Explorer. There too, it scares average users away by warning good apps as potentially malicious. I guess it’s a Microsoft decision to bring more business to its partners, VeriSign etc. In IE, SmartScreen for web browsing can be disabled but not separately for the download app reputation feature AFAIK.

  10. Stuff like this isn’t bad. Especially when I come across malware ridden computers all the time. It’s a problem many face.

  11. Can you share with us how you signed your application please. We have two installers, one is an msi (for Chrome and Firefox users) and one is ClickOnce. The warning isn’t displayed for the msi installer which is signed. But we see the warning for the ClickOne application.

    1. Spent about 6 hours working on this problem :P

      In short, I have a custom build script that does
      – MSBuild /target:build,publish
      – Copy the EXE from /bin/ to /publishdir/ (which is signed by build)
      – Rename all files in publishdir to strip the .deploy extension
      – Use Mage.exe to rebuild the manifest with the new EXE
      – Rename all files in publishdir to add .deploy extension (except .manifest)
      – Use Mage.exe to rebuild .application manifest with the new hashes

  12. It’s mostly about monetization! Free use of another’s work product? However, IMHPO, MS has carried itself way too far down that road. Yikes, HUNDREDS OF DOLLARS!!!!!!

  13. I just downloaded MetroTwit to see if you have a good reputation. There is still a security warning but it shown in a way that I have never seen before. Your Smartscreen reputation is apparently high enough to get past the Windows 8 dire risk warning but the install still doesn’t happen immediately and some new warning box appears. It is a mild warning and does have an “install” button visible and easy to access.

    This is interesting because I am trying to gain reputation with a signed app that people can download (that I won’t shamelessly plug) and once I get past the Smartscreen filter, there are no messages displayed and my installer dialog box appears.

    I suspect that I will never get enough downloads to get a good reputation. People just don’t like those security warnings.

  14. It’s a shame that Microsoft is doing this. They are really hurting new and small devs who don’t want to either pay for a cert or the annual dev fee for the Windows store.

  15. To gain immediate reputation you can use an EV certificate from VeriSign or DigiCert. The cost is again higher but does gain you immediate reputation.

    Sadly, using an EV cert seems to be incompatible with TeamBuild and will create havoc in a scripted build environment. EV certs require that your cert is installed on a hardware Token. The only vendor for signing tokens is Safenet. Their software requires a password prompt for signing. So you can imagine when something like teambuild executing as a service tries to pull up a dialog box things do not go well. Additionally, Safenet’s drivers are design to prevent access from anything but the console. Again, problematic because you can’t even sign from a remote desktop session.

Leave a Reply