WinUI 3 migration: Unlocking system-wide capabilities on Windows

Delivering a secure password management experience requires deep integration with the environment you work in every day. Today, we are announcing an important architectural shift for our desktop users: the Windows application will be migrating to WinUI 3.

As part of this transition, we are officially discontinuing our use of the Universal Windows Platform (UWP).

Why we are moving to WinUI 3

When evaluating the future of the Windows app, it became clear that UWP's architecture is fundamentally at odds with the needs of a modern credential manager. We encountered three major roadblocks that prevented us from delivering the experience our users expect:

Blocked inter-app capabilities: "Fill credentials"

UWP was built, by design, to operate within a strict security sandbox known as an AppContainer. The original philosophy behind this architecture was to ensure that applications are heavily isolated from the rest of the operating system, and from one another. While this isolation prevents apps from tampering with your system, it inherently limits the application's capabilities and available APIs. Because of this deliberate architectural choice, UWP simply does not offer the OS-level interactions required to reliably communicate with other desktop applications. Consequently, this strict isolation makes it technically impossible to provide a system-wide "fill credentials" capability.

Blocked system capabilities: Background execution & system tray

Furthermore, UWP strictly halts processes when an application is minimized or put into the background. It prevents us from keeping the process alive or executing background tasks, which directly blocked several critical features:

• Session Keep Alive: Because the process is suspended as soon as you minimize the window, the lack of background work prevents us from maintaining a reliable "session keep alive" state.
• Time-based Security Routines: Security is our core focus, but UWP's background limitations prevent essential security features: most notably, the ability to automatically flush your clipboard after a set period of time once the app is minimized.
• System Tray Quick Access: Providing a tray icon requires a persistent, low-footprint background process. The sandbox constraints deny this capability, making it impossible to provide the fast, on-demand vault access that users expect from a modern credential manager.

A deprecated platform: The end of UWP updates

Beyond the technical sandboxing limitations, there is a strategic reality: Microsoft is no longer actively developing or updating the UWP platform. The industry standard for modern Windows applications has officially shifted to the Windows App SDK and WinUI 3. Continuing to build on a deprecated framework would prevent us from leveraging the latest Windows features, security enhancements, and UI improvements. Moving away from UWP is essential to future-proof the Passbolt desktop experience.

The security impact

Security is in Passbolt’s DNA, and moving away from a highly sandboxed environment is not a decision we took lightly. To ensure this architectural shift did not compromise our users, we partnered with Cure53 to perform a dedicated security audit of the migration, specifically addressing the risks associated with removing the UWP sandbox.

Here is what changes, and what stays exactly the same regarding your security:

The reality of the UWP sandbox and our threat model

Removing the AppContainer sandbox means our application is no longer strictly isolated from the rest of the system. Historically, this UWP sandbox primarily served to prevent the application from becoming an attack vector against the host OS in the event of a compromise.

However, it is important to understand our baseline security stance, as detailed in our white paper. Passbolt’s threat model has always been clear: if the underlying host machine is fundamentally compromised, no desktop application can guarantee absolute data protection. While we are losing the sandbox's outbound protection, we are maintaining the same strict inbound security posture. We have implemented robust safeguards, input validations, and guardrails to mitigate known attack vectors, ensuring that exploiting the Passbolt app remains exceedingly difficult for an attacker.

Maintaining integrity: The MSIX advantage 

Another notable technical shift in moving to WinUI 3 is the loss of UWP’s built-in file system and registry virtualization. While this might sound significant on paper, the practical security impact is minimal.

To compensate for this, we will continue to package and distribute the application as an MSIX through the Windows Store. This deployment method is crucial because it guarantees application integrity. MSIX leverages OS-level file system protections and strict cryptographic signature validation. If an attacker or malicious process attempts to tamper with the application's installation files, the system's integrity checks will detect the signature mismatch and prevent the application from running.

In short: we are leaving the restrictive UWP sandbox to give you a better experience, but we are keeping the strict file integrity, code signing, and defensive programming practices that keep your credentials safe.

What’s next?

We are currently putting the final touches on the WinUI 3 migration, and the goal is to ship this major architectural update in our very next release.

This transition marks a new chapter for the Passbolt Windows application. By finally breaking free from the UWP sandbox, we are laying the foundation for a much more powerful desktop experience. In the coming months, you can expect this newfound freedom to unlock a wave of long-awaited capabilities. This shift will allow the app to evolve faster, integrate more deeply with your operating system, and ultimately make your daily credential management more secure and smoother than ever.

Stay tuned for the upcoming release notes, and as always, thank you for your continued support and feedback!