I have been experimenting with Windows.Security.Credentials.PasswordVault as a way of storing my applications' passwords.
Reading the class documentation and the UWP documentation, I assumed the vault has some method of identifying applications, so that a particular app may only retrieve credentials it has saved in the vault itself:
Apps and services don't have access to credentials associated with other apps or services.
I was unable to confirm that this works, since an app I wrote was actually able to access the credentials another app of mine had saved in the vault, including the passwords. Since the mechanism doesn't require any certificates or app IDs, I was curious about how it even could ensure the above property.
Looking at SO I found this very similar, as yet unanswered question. It confuses me further, because its asker says:
It appears that even though the second application is using the same key as the first app used in saving the data; the second app cannot retrieve that data. This is good.
In my case, the second application can read the vault credentials saved by the first with no problem, password and all. Not only that, I can also read all passwords stored by the Internet Explorer for the websites I have password auto fill information saved. The comments on this question confirm that there is no mechanism to prevent one app from accessing another's stored credentials if both are executed by the same user, which is in direct contraditiction to my understanding of the API documentation.
I must be misunderstanding how the security aspect of PasswordVault works. How can it be used to secure credentials so that they can be used only by the app that created them?
Information about my environment:
- Apps run on Windows 10
- API platform 10.0 (also tested with 8.0)
- Apps are executed with no elevated rights