Windows phone "Scan the app for malware" - windows-phone-8

I'm going through the Windows Phone test suite before submitting my app to the Windows store.
The guidelines have the following section:
Requirement - 5.4.1 - Malicious software screening
Requirement Text - The app must be free of viruses, malware, and any malicious software. -
Test Steps -
Launch your app.
Scan the app for malware.
Verify that there are no viruses, malware or malicious software in the app.
What does "Scan your app for malware" mean? Is there some tool I'm supposed to use to scan the app for malware? The document contains no link to such tool and a google search and MSDN search did not yield much results.

I can't speak on behalf of MS but I imagine that the malware tools used internally aren't available outside. Having said that, you could still run scans using programs like MalwareBytes or Microsoft Security Essentials on your XAP file itself and/or rename XAP to ZIP and unzip it to scan the files individually. Viruses stored within the XAP file could be read in by an app and then spread onto other platforms (even if it doesn't affect the phone itself. The requirements may be discussing that.
If your app isn't doing anything suspicious and doesn't use unsupported APIs, I personally wouldn't worry too much. Whilst there may be some false positives sometimes, I'm not aware of any particular tool that this section of the requirements specifically refers to.
Edit - I was reminded that there is a Store Test Kit but I didn't initially post that as it doesn't specify that it does a malware check. Good idea to run it nevertheless.
[What Store Kit Tells You]
Whether the XAP file meets size requirements and whether the app manifest file is valid.
Whether a Direct3D app that targets Windows Phone 8 uses APIs that are not allowed on the phone.
Whether a background agent app uses APIs that are not allowed with background agents.
What capabilities the app uses (for apps that target Windows Phone OS 7.1 only).
Whether the specified images and screenshots meet certification requirements.
Whether the app icon and background image used in the app meet certification requirements.

Related

Criteria for 'with Live Tile' sign in Store for Windows Phone Store app

In Windows Phone Store for Windows Phone 8.1 OS are applications with or without the with Live Tile sign under logo in app overview.
Which criteria must the application meet to be detected by Store as it supports Live Tile?
I know that the answer should be obvious – it must support Live Tile, but it is not as simple as it looks like. My app is not detected as it supports Live Tile.
It calls PushNotificationChannelManager.CreatePushNotificationChannelForApplicationAsync, uploads the PushNotificationChannel.Uri to the server and the server sends tile updates via WNS. The tile is regularly updated.
It contains all scales of all visual assets.
Contacted MSFT Support:
There is no explicit check. The flag is set during manual instigation
of the app in the publishing process.
As the app submission has been changed to publish your app immediately, this flag will only come up once your app is manually checked. That usually only happens some days after your app is published and only in rare cases for updates (or when somebody complains about your app).
Also: The tester has to notice that there is a live tile. If it comes through push or there is no data at the moment of testing or it requires a specific setup, that will just not be visible.
I recommend hinting your live tile in the certification notes field (under describe your package) to make sure the tester is informed that you have a live tile option.
Most probably the Store show the with Live Tile tag for Silverlight (XAP) apps but not for Store (Runtime) apps.

How to certificate WP8 app with HERE launcher

I have created an application which use HERE Application Launchers and my app work fine on my Nokia Lumia 720.
My problem is certification on marketplace I get the response like:
The application exhibits device specific behavior that inhibits functionality and
features. The application's main functionality
cannot be tested on non-Nokia devices because it requires Nokia Here Drive.
-Launch the application on HTC 8X.
...
-Observe the user is prompted to install the app "Here Drive".
I agree with this becouse HERE maps are only available on Lumia devices. But how to use HERE Launchers if we cannot publish it on the marketplace?
If somebody has had similar situation and know solution for it?
That's because it's better to use the ms-drive-to or ms-walk-to Uri scheme!
When you use those, the phone itself will launch HERE drive if it is present, otherwise Bing maps!
Get the needed example code and usage on MSDN here: http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj710324(v=vs.105).aspx
I think you need to clearly state in your app description for Store and in the app itself, that it works only on Nokia devices. (Or you can implement some kind of fallback behavior for non-Nokia devices as well)
This way it should pass the certification, because the behavior will be expected and not confusing.
I suppose either there were something wrong on the submission time, or the rules have changed. I at least submitted an application which is using the Uri Scheme directly, and it got accepted.
In the essense there is no requirements for any specific Application being installed, but there is a query made for applications which support the Uri scheme protocol. And if the HERE application having it is installed, then it will be launched.
And if there is no handlers available, then the market place should be opened for searching for the handlers. At least that's the way the system is designed for.

How to make settings persist after uninstall on Windows Phone 8?

I need to make a certain setting stay on the device even when the app itself has been uninstalled. For iOS we are using user's keychain to store this information. Is it possible on WP8 somehow?
If you want to keep, let's say user settings after an app is uninstalled, I highly doubt that this is possible on Windows Phone. First of all it would create a lot of orphan files on the phone that you would not be able to get rid of. One of the services on Windows Phone is Package Manager. This manager is in charge of installing/uninstalling apps, keeping track of what is pinned to the start screen and other metadata about an app and any extensibility points like Share..., etc. If you uninstall an app this manager should clean everything related to you app, even your user settings in any file or IsolatedStorage that you create.
iPhone and Android give you an ability to use some sort of file manager to explore your phone. As far as I can remember you could use Putty to connect to your phone to see the folders and stuff. In Windows Phone you cannot go this far. There are some tools like Windows Phone Power Tools that you can use to check the installed apps, but that's about it.
Apps and all their related data are stored in sandboxed folders. When an app is uninstalled this whole folder is deleted. As such this means that all saved data is removed.
There are two, probably non-ideal, workarounds.
You could create an image saved in the users photo library. You could embed the identifier in the image or it's name but the user has control of these images and may delete it. You also can't programmatically delete such files so you may end up with lots on the device. Having lots of "rogue" files on a device is also likely to cause a user to tidy them up (delete them).
You could store a record of the setting, linked to the device on a web server. This has the downside of needing to maintain the server and handling data sync and offline scenarios.

Reason for installation through Chrome Web Store

Is there a technical reason, why a Google Drive application must be installed through the Chrome Web Store (which severely limits the number of potential users)?
The reason that installation is required is to give users the ability to access applications from within the Google Drive user interface. Without installation, users would have no starting point for most applications, as they would not be able to start at a specific file, and then choose an application.
That said, I realize it can be difficult to work with in early development. We (the Google Drive team) are evaluating if we should remove this requirement or not. I suspect we'll have a final answer/solution in the next few weeks.
Update: We have removed the installation requirement. Chrome Web Store installation is no longer required for an app to work with a user's Drive transparently, but it is still required to take advantage of Google Drive UI integrations.
To provide the create->xxx behaviour that makes a new application document from the drive interface, and to be able to open existing documents from links, there must be some kind of manifest registered with Google's systems and some kind of agreement from the user that an application can access your documents and work with specific file types. There's little way around this when you think about the effects of not doing this.
That said, there are two high level issues that make for compatibility problems.
As the poster says, the requirement to install in the chrome store
severely limits the number of potential users.
But why? Why do the majority of Chrome Web Store applications say that they only work on Chrome? Most of these are wrappers to web applications that work on a range of browsers, yet you click through a selection and most display "works on chrome", aka only installs on chrome.
Before we launched our application on chrome we found that someone had created "xxxxxxx launcher" in the store, that simply forwards to our web app page. We're still wondering why it only "works on chrome". I suspect that some default template for the web store has:
"container" : "CHROME",
in it, which is the configuration option to say chrome only. That said, I can't find one, so I'm very confused why this is. It would be healthier if people picked Chrome because it's the better browser (which it is in a number of regards), not because their choice is limited if they don't. People can always write to the application vendor and ask if this limitation is really necessary.
The second thought is that a standardised manifest format across cloud storage providers would mean a much higher take up in web app vendors. Although, it isn't hugely complex to integrate, for example, with Google Drive, the back-end and ironing out the the details took over a week in total. Multiply that lots of storage providers and you have you lose an engineer for 2 months + the maintenance afterwards. The more than is common across vendor integration, the more likely it is to happen.
And while I'm on it, a JavaScript widget for opening and saving (I know Google have opening) by each cloud storage provider would improve integration by web app vendors. We should be using one storage providers across multiple applications, not one web application across multiple storage providers, the file UI should be common to the storage provider.
In order to sync with the local file system, one would need to install a browser plug-in in order to bridge the Web with the local computer. By default, Web applications don't have file I/O permissions on the user's hard drive for security reasons. Browser extensions, on the other hand, do not suffer from this limitation as it's assumed that when you, the user, give an application permission to be installed on your computer, you give it permissions to access more resources on the local computer.
Considering the add-on architectures for different browsers are different, Google first decided to build this application for their platform first. You can also find Google Drive in the Android/Play marketplace, one of Google's other app marketplaces.
In the future, if Google Drive is successful, there may very well be add-ons created for Firefox and Internet Explorer, but this of course has yet to be done and depends on whether or not Google either releases the API's to the public or internally makes a decision to develop add-ons for other browsers as well.

Interfacing with the end-user's scanner from a webapp (web/scanner integration)

Consider the following scanning procedure in a typical document handling webapp:
The user scans a document using a scanner connected to his/her computer
The scanned image is saved locally on the user's computer as a BMP/JPG/TIF/PNG file
The user hits a file upload "Browse.." button in the web application
The user is presented with a file dialog which he/she uses to locate the scanned image
The user hits "Upload image" and the scanned image is uploaded to the server where it is stored
This process is quite complicated and I'd like to reduce the number of steps in order to make the process more user friendly/fool proof. Under ideal circumstances the above steps would be replaced with only one step in which the procedure initiate document scanning, complete document scanning and upload resulting image is automatically triggered from the webapp when clicking say "Scan and upload". Unfortunely it seems like the state of "web/scanner integration" is quite poor so this might be utopia.
How would you tackle this problem? More specifically, how would you go about reducing the number steps involve in the use-case described?
Well, two years have passed, so here's an update on the state of the art for those just joining us.
Both Dynamsoft and Atalasoft have multi-browser web-scanning toolkits which are compatible with any server-side stack. Both require the user to install an ActiveX (in IE) or an NPAPI plugin (Chrome, Firefox, etc.) to get access to the scanner via the TWAIN API.
Obviously if you have the time or a limited budget, you can create your own plugin. I heartily recommend the FireBreath plugin framework, and any TWAIN library rather than writing your own TWAIN code.
Once the ActiveX or plugin is installed, the rest of the work is a combination of javascript & HTML on the client, and some kind of handler on the server to accept and process the incoming image, which can be made to look just like a multipart form submit with an attached file.
I recommend doing the image upload in javascript using AJAX, because it is then part of the same browser 'session' as the web page, and it inherits the browser's proxy settings, session cookies and server-side authentication. I don't know about Dynamsoft's control, the Atalasoft toolkit includes such AJAX uploading. The image(s) are handed from the plugin to the javascript as a base64-encoded string, so no local file is actually created.
Disclaimer: I work on Atalasoft's WingScan web-scanning toolkit.
If your target audience is running Windows and IE, and you don't mind spending a few $$, Atalasoft has some components that will do just what you're looking for.
I actually saw someone at the bank do this while setting up my account and I was totally amazed. Bank in question was using Windows and IE, I assume your in an equally controlled environment. I think the bank used a combination of a custom/ predictable scanner driver and an ActiveX control.
A page loaded which said "Open the scanner" the staff member popped the document in and hit Scan on the webpage, then the page changed to say Scanning, then it showed the scanned document on the web page for the staff member to Approve. I can only assume that the scanner driver send the image to a certain location and the active X control was polling for it to appear, once it appeared it showed the image on screen, once the staff member had approved it the active x uploaded it in the background. She opened the next page and carried on with the rest of the process.
God knows how they made all that tech work but it can be done.
Silverlight 4 is coming out soon. It is supposed to have the ability to interact with COM objects on the user's computer (provided they are running Windows). In theory you call WIA methods from your Silverlight web page.
We implemented a solution to implement Remote Deposit for a bank. It works only in IE. A winforms dll was created that interfaces with LeadTools TWAIN dll. Leadtools TWAIN dll abstracts all the TWAIN minutae. This approach is slighly better than using an ActiveX control. .NET Framework would be needed on client. The scanned images are posted back to a hidden variable on the page and are processed on the server.
Hmm, I've always wanted to look at a scanned file before I did anything with it, but I suppose that depends on your scanner and how much quality you need.
If the goal is to "automate the scanning and uploading process" as opposed to "write a web app", I'd write an AutoIt script to control the existing scanner software and a simple ftp program.
The option most likely to remove the most steps, would probably be writing a customized scan utility that the user would download and run on their local machine.
SANE or TWAIN would handle getting the scanned image. cURL could than handle uploading the image to your web app. To make things even easier for the end user, I would use something like a Comet connection to update the web page when the file was available.
If that isn't an option, you might look into seeing what options your users will likely have using their scanners software. I believe many programs now support scanning to email or ftp.
The solution I have used for an intranet app, using multifunction scanner/copiers was to scan to an SMB share that the web server had access to. The user just goes to the copier scans to the share and when they get back to their desk, they go to the new scans page which shows a list of all the new unprocessed files.
Since your audience is controlled environment, You can write your own browser extension/program based on WIA/TWAIN that does the scanning. If you choose browser extensions such as BHO/ActiveX/XPCOM, etc, you need get the user's permission to install your extension. If you choose to write a program you may need web deployment technologies like ClickOnce or Java Web Start to be launched from web.
Interfacing TWAIN is a pain on Windows. Complexity aside, you have to display some GUI written by different scanner driver developers. It may be the only way to support old scanners or features not exposed via other interfaces like full-speed multipage scans from a document feeder.
Microsoft's WIA makes interfacing with scanner much easier with a scripting object model, however scanner-specific features are not available and some old scanners do not support the interface.
After scanning you can call a web service to notify the server and the web page can refresh periodically to check new images.
We have done something similar. we used a command-line TWAIN program (http://www.burrotech.com/quickscan.php). $$ $49
1) We developed a small .Net application to run the QuickScan program as a shell command.
2) The command was assigned to the Scan button.
3) Once the user presses on the scan button, a prompt will appear to enter the file name. The user saves the transaction Id as the file name.
4) Another .Net application (or maybe the same mentioned before) will read this file and upload it into database considering that the filename is the transaction ID.
Worked like a warm knife in butter!
You can try displaying the transaction ID into IE, user to select the ID then presses Scan. Your application will read the SELECTED text and save the file using the SELECTED text as the file name. We havne't tried it but it should work.
It is only utopia if you think that web applications are limited to web browsers, in fact, web applications can include a lot of different technologies, besides HTML and Javascript.
The cool way of solving that problem -- in fact, I already used that for some usbserial devices -- is to implement your application using SOAP+XMPP. You can do that in Perl by using XML::CompileX::Transport::SOAPXMPP, Catalyst::Engine::XMPP2, Catalyst::Controller::SOAP and Catalyst::Model::SOAP.
The interesting thing about using XMPP is that it simplifies the management of addressing, since you use the JID (Jabber ID) to look for the software agent, not some host+port addressing schema. The second interesting part of using XMPP is to more easily support the server pushing information to the client.
But if you don't want to handle XMPP you still can do the same thing with a lightweight embedded http server -- HTTP::Server::Simple, in Perl -- and somehow register the current scanner address in the server so it can call back.
And a last option, which is not so cute, is to have the software agent polling the server to see when there is a "scan document and upload" order for that specific machine and realize that operation when that is present.
In summary, having a local software agent to interact with the local hardware doesn't make your webapp less "web", as long as you use web standards -- like XML, SOAP and others -- to perform that communication.
You can put a Java applet in your website. This can access the scanner and send the data via REST to your web server.