File and folder picker usage policies on Xbox consoles

Question

The Microsoft Store Policies version 7.15 (current policies, anticipated archived policies) state in section 10.13.4 that "Products published to Xbox consoles must not […] Enable general browsing of operating system, file systems or attached physical media file structures".

(1) What implications does this have for usage of the file and folder picker classes in Windows.Storage.Pickers such as FileOpenPicker, FileSavePicker, and FolderPicker? Can these pickers still be used, or do we need to limit specific setting values for them, such as no wildcard file extensions and specific suggested start locations? It seems that file manager applications and technical text editors that can open arbitrary files would only be allowed to use internal app storage or app extensions (in Windows.ApplicationModel.AppExtensions.AppExtension.GetPublicFolderAsync) and not local disk or connected USB drives.

(2) If these features are indeed restricted, what is the best way to limit this functionality in production but allow it in developer mode or on other devices? Would inspecting Windows.System.Profile.AnalyticsInfo.VersionInfo.DeviceFamily and Windows.ApplicationModel.Package.Current.SignatureKind be sufficient to distinguish between retail and certification versus developer environments, or would knowing the current Xbox Live sandbox ID be required to fully cover both retail and certification environments?

Answer 1

Preliminary analysis based on digging around:

• This policy is probably intended to target a certain category of developers that are publishing file manager applications that enable broad file system access to internal drives and removable storage, potentially allowing tampering or alternative content that would jeopardize business relationships. The file and folder pickers on Xbox devices do not allow navigation to arbitrary internal drives (the address field is either read-only or absent).
• There is a lack of guidance for developers using file and folder pickers in conjunction with this policy change, so either the pickers are not targeted by this policy or the staff members have not yet responded to this policy (which seems unlikely, given how long this behavior has been happening and how disruptive the removal of file and folder pickers would be).
• Microsoft Edge (Chromium) uses the runFullTrust capability and likely has access to internal drives, but is deliberately restricted from accessing local files. Microsoft Edge Legacy did not have this capability. The upcoming policies that prohibit web browsers on Xbox devices from allowing downloads is likely to ensure product feature competitive parity for alternative browsers with Microsoft Edge (Chromium).

Based on this information, I feel I can supply a counterargument if this policy is cited during certification. I'll keep this question running until this has had a chance to be tested after the policies are in effect.

Update (8 October 2021): OneDrive has been withdrawn from the Xbox device family; earliest reports are from 23 September 2021. OneDrive used the file and folder pickers with wildcard file types.

Remaining first-party apps available on Xbox devices that use the file picker: 3D Builder (specific file types), SketchPal (specific file types). Additionally, Settings uses the file picker to upload a custom gamerpic.

Update (19 October 2021): Xbox Insider system updates from 15 October 2021 have been observed to limit certain kinds of file system access. From personal testing in developer mode on system version 10.0.22000.2654 (released on 15 October 2021), the file and folder pickers remain functional with File Explorer as a provider, and the Downloads folder can still be used. I do not have a test case for the broad file system access capabilities to confirm whether those restrictions are in effect. The option to upload a custom gamerpic remains available.

Update (22 October 2021): Xbox system version 10.0.22000.2655 was made generally available on 21 October 2021. File and folder pickers are still functional.

Update (25 October 2021): Contacting Windows Developer Support did not yield much clarification, stating that certification testers have the final say while reviewing submissions, and that the reportapp email alias is the point of contact. Clearly there is a significant degree of suppression on this topic, or it needs to be somewhat vague in order to properly maintain business relationships, so the community will have to narrow this down by trial and error. If any developers new to publishing to the Store are reading this, my advice would be to first create a basic edition of your application that showcases the capabilities you need (it doesn't need to be polished or published for general use), and try sending that through certification. That way, you don't commit too much time into development if there turns out to be a conflict of interest.

Update (3 November 2021): I think I have a better explanation of the new policies. This category of developers need both software and content to attain their goals, and are using various methods to load external content on to the console, such as FTP servers. The software to use this content was already regulated by policy 10.13.10. The loading of external content is now regulated as a defense-in-depth strategy, but to avoid privacy and logistical concerns, the regulation rests with access to external sources, so external content from both the Web and attached file systems are cited in the policies. The flaw with this reasoning is that I don't have any evidence or testimony that the withdrawn OneDrive app allowed this, as there don't seem to be any relevant options before or after yesterday's app update from version 19.23.16.70 to 19.23.17.70.

Update (11 November 2021): We have a breakthrough. To recap, there is a problem if both software and content make it into the retail environment and Microsoft is perceived as allowing either one. File content from users is now regulated by tying their usage to product functionality, which binds unregulated file contents to product behavior, causing it to fall under Store jurisdiction. Possible combinations:

Software

Software possibility: Web browser visiting a web site (unregulated)

• Since web sites are unregulated, there needs to be a barrier to loading content.
• Web browsers are regulated, but web sites are not.

Software possibility: Web browser loading a local web page (new policy 10.2.1 "copy files")

• Local web pages are not required for browsing the Web, so the exemption does not apply.
• Microsoft Edge (Chromium) blocks loading local web pages.

Software possibility: Store product (already regulated by policy 10.13.10)

Content

Content possibility: Web browser embedding hosted files from a web site (unregulated)

• The hosting web site is the liable party.

Content possibility: Web browser file upload field from local storage (new policy 10.2.1 "copy files")

• File uploads are treated as copying files, which is prohibited.
• Microsoft Edge (Chromium) blocks using file upload fields.

Content possibility: Generic file manager Store product from local removable storage (new policy 10.13.4 "general browsing of [...] file systems")

• Products can still access files as long as the product actually uses the file, causing it to fall under Store regulation (new policy 10.2.1 "necessary for functionality").
• OneDrive passes files through without actually using them (not part of its necessary functionality), which is why it's withdrawn from the Store due to unregulated usage of files.
• 3D Builder and SketchPal use the files they access, so they qualify for the exemption.
• To continue using local files, you will need a product that specifically uses those kinds of files and offers file management functionality for them.

I'd expect generic file manager applications to be unpublished soon; possibly around 21 November 2021, since that is the deadline I got when I received a complaint on a web browser I published. Note to developers: some certification reports may be bluffs in an attempt to force your product to go through certification again under the new policies if an update hasn't been submitted in a while --- you can tell due to the lack of replication steps for your product, which are normally included. Just create an updated submission with no changes, maybe explain your perspective in the "Notes for certification" section, and submit that. I do not recommend requesting email clarification or evidence for the bluff, as you might receive an explanation so innovative that it will not be reapplied to your "updated" submission; the reply may be an attempt to improve the published certification appeal statistics.

With that, I feel the remaining questions are now answered. If there aren't any additional counterarguments, I'm prepared to resolve this question.

Update (13 November 2021): This topic is getting press attention. Judging by the catalog of other applications, web browsers that offer downloads are getting unpublished, while file managers are remaining published, but gaining a "Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe" designation in permissions that presumably indicates that this product violates policies, and will have reduced search results visibility according to the Microsoft Store Product Ranking, Placement and Marketing Disclosure Statement.

Update (20 January 2024): 3D Builder was withdrawn from Xbox consoles around the middle of 2023. Although the broadFileSystemAccess capability (that 3D Builder declares) appears to still register successfully in Dev Mode, declaring this capability may be risky for policy 10.13.4 "general browsing of [...] file systems", especially if it can write to arbitrary locations, so it could be a risk minimization strategy. Edit (21 January 2024): The broadFileSystemAccess capability is documented as not supported on Xbox.