After installing the Windows 8 Consumer Preview, one of the first things I tried was to install and run MetroTwit Loop. To my dismay, my screen darkened. “Windows protected your PC” it read. “Oh good” I thought, that is before I realized it stopped me from running my own application.
I knew I could click “More info” and then “Run anyway”, but most common users are probably going to see this and freak out. After all, “Running this app might put your PC at risk”.
Ironically I should have known this might happen because I first uncovered the existence of “Windows SmartScreen” almost a year ago when the first builds of Windows 8 leaked. Of course it didn’t actually work then so it was hard to say what the impact is. Having seen it in action now, this is quite worrying from the perspective of a desktop app software developer.
Microsoft has been integrating SmartScreen into various products including Windows Live Messenger, Internet Explorer 9 and now Windows 8 to protect users from malicious links, content and now apps.
It all works on “reputation”, which is about as transparent as a brick wall. Microsoft briefly explains it is assigned to unique downloaded files and your digital certificate, but how you gain reputation, how quickly you gain reputation and the current reputation of any app or certificate is unknown.
As I’ve also found, the act of signing your installer & application with a code signing certificate (which costs up to $499 a year from Microsoft’s recommended certificate authority Verisign) doesn’t automatically grant you “enough” reputation either.
In comparison, Apple recently stirred up a bit of controversy for its new “Gatekeeper” feature in OS X Mountain Lion. It too is a new security feature that limits what “non-Store” apps you can run. The difference however is that any registered Apple Developer could get a free Developer ID to sign their apps with and be granted permission. Code signing on Windows 8’s SmartScreen doesn’t seem to have such an (immediate) effect.
Although I understand one day, MetroTwit and our company’s digital certificate might/will earn “enough” reputation for it to be automatically accepted. But until then, it’s not a good feeling your application will prompt such a strong disheartening message to an unknown number of users.
This also raises a chicken-and-egg issue, would lesser known apps ever gain enough users to trust it with such an intimidating roadblock for new users? It’s hard to tell behind the smokescreen that is Windows SmartScreen.
Update: How-to Geek has an article on how to disable Windows 8’s SmartScreen, however the fact is it’s still enabled by default for the common user.