Many 3rd party add-on developers now require users to install various additional software to run unrestricted in access in the background while using their add-on. They say that it’s important for functionality, security and management reasons.
I believe this type of requirement is excessive and goes against modern trustworthy computing practices. No add-on developer of any kind should be trusted with unrestricted access to data and internet access.
Here is a list of changes that I believe should be included in FS2024:
All add-ons should be required to run in a sandbox environment without exception.
All add-ons in the “Community Folder” should not be loaded by default. The user must enable community folder mode to run these add-ons.
All add-ons in the “Community Folder” should not have any permissions by default. Only the user can enable permissions per add-on.
All add-ons that are not in the “Community Folder” have to be installed using an in game interface that probably checks the files are legitimate and safe to use.
WASM support should only be enabled by default if the add-on has been approved by Microsoft and downloaded from the official Flight Simulator store.
For X-box – yes, maybe that’s a concern, but for a PC, whats the point is such restrictions, when the user is free to load and install just about anything they want to,(MSFS or other) no matter how potentially it can corrupt their PC.
Any such risk on a PC, and mostly be coveted by having a good “automated” Backup / Restore system.
The only realistic way to outsmart all hackers, is to be able to restore your system, should they manage to beak in.
Its not a question of IF they will, but more a question of WHEN !
Back in the P3D days where I was a wee lil ten year old (2019) it was harder than today,the installers sucked…the community folder didn’t exist it was more having to do xml files for every addon
Point one kills A2A,Fenix,Maddog,and probably PMDG…point two is really just going to waste people’s time and then point three…reminds of the P3D days where I had to do the funnest thing called scenery turning on and off… point four: every addon not on the MP goes in your community folder…And point five kills every single addon That has basic functionality……I have never gotten a virus from a addon,most was a false positive from the PMDG ops center but that was easy to fix
Respectfully I fully disagree with you, if you limit the outside access of devs, you are only hindering what they can accomplish and do in order to create high fidelity aircraft or programs such as traffic add ons or weather injectors. Most of the time if an application is doing something externally, it is either running a flight model outside the sim, grabbing weather information, accessing your aircraft info to overlay in a chart, etc.
If you really are worried about your protection when using 3rd party add-ons, then you are downloading from some random sketchy developers. Most 3rd party add-ons do not rely on your personal data and internet to run. Only time they will collect information would most likely be from your PC hardware to debug issues. Other times yes, they might grab IP information in order to activate said product. Other than that, if you are buying from trusted developers, you should have nothing to worry about. Allowing external access has been allowed by so many sims previously and has always been a thing in the flight sim arena.
You have given more personal data to Google by entering this forum to post this topic at a particular time of the day than the data a third party developer may eventually collect from you by running an external exe to check your addon license online. Google will sell your data before this topic reaches 50 answers.
On the other hand remember game supports scripts. Any addon using the cockpit tablet implementation is also running a script. You can call other scripts from there and open also a connection to the outside world. That’s already unprotected as MSFS client won’t act as a firewall in that case nor prevent the connection establishment itself.
The best way to protect yourself nowadays is to protect your network and limit your usage of free services and the data you accept to share when using them. In that case you are the product. That’s why those services are free.
If add-ons from A2A, PMDG, Fenix and others
cannot be run in an sandbox environment then
these add-ons are already taking advantage of users trust and running some code that might be harmful. These add-ons should never be 100% trusted with full system access. That is the reason point one is necessary to prevent harmful or malicious activities.
Point two ensures users understand the risks associated with downloading and running 3rd party add-ons from unknown 3rd party developers. Point three gives users control over how each of these add-ons operate. With the sandbox in point one that provides a safe environment.There are millions of people playing flight simulator and bad actors are going to target users with freeware to get users to download and run malware.
Point four ensures standards are met. The standards should be set by Microsoft and every add-on has to undergo a rigorous certification process and if the add-on passes the certification then it’s digitally signed by Microsoft. Then developers can release their add-on for users to buy, download and install.
As I said in the previous post, if 3rd party developers can’t create add-ons to run on the sandbox environment then they are likely creating unsafe or malicious code. No add-on developer should have full system access.
Many add-on developers don’t have much knowledge of information security and can’t protect users data or their own code against attacks whereas Google has people who are highly trained and knowledgeable in information security protocols to ensure compliance to standards.
Many add-on developers might be interested in making money by selling users data. When was the last time you read the terms and conditions of the add-ons you bought?
These add-on developers applications running in the background can collect and send a large amount of personal data back to their servers.
A sandbox environment that restricts access is the solution to prevent these practices.
There are a lot of built-in protections in operating systems to protect people from malicious attacks. These protections don’t harm people’s freedom. It’s the same with flight simulator add-ons. As long as 3rd party developers don’t run any harmful code then there won’t be any problem.
If you are not willing to allow access to external servers why don´t you just block those apps in your firewall? Some addons simply need those external servers as MSFS can´t hold the additional data at their servers. There´s no solution for that in SDK. The SDK will only allow to open a connection and having a sandbox environment won´t change the fact that addons may still need to collect data from external sources to publish data to your local client if data is not available in vanilla game. The best example I can remember right now are SSW jets which require external terrain data for radar system to work because data can´t be stored elsewhere. Other example is the Tablet implementation in HPG 145 which requires the map layout data from open street maps. That silly thing alone just requires a connection as game does not provide such map layout.
What you suggested above means that all the devs who run processes outside the sim in order to circumvent sandbox restrictions can not add their benefitial addons to the sim. This IS by all means a restriction to the freedom of development. It would limit us to what we get without devs like Fenix, A2A etc. Their addons extend the sim’s capability tremendously by NOT bothering about sandbox limitations. A2A for example has been known for their honesty and kindness for more than a decade and denying Accusim would be the worst that could happen to their business.
There are developers who exploited our trust in the past and that won’t ever be forgotten by the internet anyway. Forums and definitely all kind of media WILL bring this back to everyones attention as soon as these devs release something for MSFS. Purchasing despite this knowledge is a deliberate decision, I don’t need anyone to “protect” me from that.
“modding” the game is Optional and beyond the scope of responsibility for Any game developer
trying to make them responsible for your internet security is just plain silly
the Community folder is Empty by default, they dont need to “disable” something You have to Enable to start with - its up to You to Choose what 3rd Party Software is safe to use or not, if you dont feel comfertable with a companies software Dont Use It
i see this a lot, for some reason people think the game should be responsible for any thing they happen to sell in a store (or in this case even something you buy elsewhere from the internet?)
it would be like trying to make chevy responsible for the tires you bought at walmart, it just doesnt make sense to me
Sounds like a you problem. Has anybody hurt you? In more than 20 years of flight simming I never ever had any addon that was malicious. Not in MSFS, not in any other game. Bad quality? Sure but the worst quality addons were those that completely complied with the native engine. Those who ran outside the box were the most trustworthy ones in my experience.
If you are unable to cope with everyday risks of using a computer: nobody forces you to mod the game, just run it vanilla. But I am certainly not inclined to suffer from your anxiety.
Yes, of course, a sandbox environment does prevent an add-on developer from releasing add-ons that tries to circumvent the sandbox environment. But doesn’t prevent the developer from creating add-ons. The sandbox environment puts in limitation to prevent unsafe and harmful code from getting executed.
If an add-on developer such as A2A can’t work properly with this sandbox environment then they need to re-examine their code. After all, add-ons developers don’t have any control over Microsoft Flight Simulator development. Add-on developers business models depend on Microsoft kindness. You don’t have to pay at the moment to use the SDK unlike Epic.