none
10.5 Modern Cryptography???

    Question

  • I am trying to resolve this, and I am about to give up on submitting apps to Microsoft, and solely focus on the other platforms that at least communicate with their developers. But, I figured I would post my issue here to see if ANYONE will assist in this. The feedback form in the developer portal is absolutely worthless.

    I have an app that I submitted, and my first version was accepted with no issues. All of my subsequent updates are getting rejected only stating:

    App Policies: 10.5 Modern Cryptography

    If your app collects, stores or transmits personal information, it must do so securely, by using modern cryptography methods.

    Notes To Developer

    The app poses a risk to users or to the security or functionality of the device or the Store. Apps cannot transmit passwords as plain text. Note: The app does not appear transmitting the data in a secure matter as claimed.

    1. This app in no way, shape, or form "collects, stores or transmits" passwords.

    2. Any external content is pulled via SSL (https)

    3. The contact form is transmitted via SSL/TLS

    4. I can find absolutely NOTHING that is unsecured, but the above canned response is the only response I'm getting.

    5. The only reason I can think of for the continual rejection is Microsoft is saying "Developer...go away. We don't want you app. We don't want apps added to our store. Go away. Submit your apps to the others and make their stores bigger, we like ours small.:"


    Friday, October 7, 2016 1:26 AM

All replies

  • They should be explicit as to why they rejected your app. However if you want to try again, think hard about any PII (Personally Identifiable Information) that is transmitted from your application to *whatever* that is not encrypted (via SSL, etc).  Names, Locations, Numbers, Passwords, Whatever.

    Friday, October 7, 2016 7:13 AM
  • Hello,
    I can completely understand the frustration you’ve been experiencing at your failure to submit your app. The Store Policies are for the dual goals of enabling developers and delighting customers. Adhering to them could help you make choices that enhance your app’s appeal and audience. Thanks for your understanding.
    If your app accesses, collects or transmits personal information, or if otherwise required by law, you must maintain a privacy policy, which should be added in your app description page. This privacy policy applies to the data used and collected through this application. The publisher of the application provides this privacy policy. Microsoft is not responsible for any use or collection of data inconsistent with what is described in this privacy policy.
    You could host it within or directly linked from the app, for more information please refer to Windows Store Policies 10.5.1 .
    You might set it in submission page and click the Store listing on Dashboard.

    Additionally, you could add Notes for certification to the testers when you resubmit your app to make sure your app could be tested properly or let them know your mind.

    Best regards,
    Mattew Wu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, October 7, 2016 8:03 AM
    Moderator
  • I am experiencing exactly the same problem. However only from this year. Prior to this, my app did not fail at all due to this reason. I had submitted many updates over the years and never encountered this. The only difference is that I have changed the app to be a paid one instead of free. Are there different sets of criteria associated with paid and free app submissions?

    I have contacted dev centre support who told me to just submit a question to the other department. I asked the dev centre support person if I could put my email address into the certification notes section of the submission asking that they contact me with more information and I was told that if I did this my app would fail certification. Is this really the case? That sounds ludicrous. Surely they would just ignore it if this was not part of their working policy.

    After submitting my question to the other department, they replied with the same message as was in the certification failure, so did not provide any more information to help me get passed this issue.

    My app is basically one which loads a web site but also has a few extra components (IAPs, adverts, Cortana integration, extra in app currency for downloading the app).

    After the first certification failure due to this reason, I updated the website so that it only sends passwords to the .Net Core controller after they have been encrypted on the client side (they are encrypted again on the server before storing in the database, as client side encryption on it's own is not as safe).

    My website does not use https. However, it definitely satisfies the criteria specified by the certification, i.e. sending unencrypted passwords is not happening.

    Could it be the case that the failure criteria is missing out a lot of information? I.e. what DarthJames above has said about all PII? If more that just the password is required to be encrypted then I would expect the certification text to state this rather than just mentioning the password.

    Could it instead be that Microsoft are requiring anything interacting with the apps to be done over https? Surely if this was the case, then it would be simple to state this.

    Any help is greatly appreciated as I have requested help from 2 sources, wasted a lot of time and got no further forwards, so I am basically completely stuck now.

    Thanks

    Friday, January 26, 2018 6:10 PM