Sign in with
Sign up | Sign in

Report: Windows 8 Apps Are Easily Hacked

By - Source: Ars Technica | B 34 comments

Apps sold in the Windows Store are apparently easy to hack.

A recent blog post published by Nokia engineer (and former Microsoft employee) Justin Angel has been either knocked offline due to a high volume of traffic, or taken down by Microsoft due to its contents. Why? Because he's discovered numerous issues surrounding apps sold on the Windows Store. The unauthorized conversion of trial apps into full versions, the modification of the prices of in-app purchases, and removal of embedded advertisements are just a few unearthed treasures.

According to Ars Technica, the focus of Angel's Windows Store examination was on games, arguably the most popular category in any app store. Game apps offer a variety of business models that developers are currently using like full retail, ad-supported free offerings, in-app purchasing and free demos.

The report throws up several examples on how apps can be manipulated. In one case with Ultraviolet Dawn, data files containing the prices of various upgrades could be edited with Notepad. Thus, the "hacker" could cheapen these upgrades and make the in-game currency last a lot longer than normal. Using XML to store this kind of data makes it extremely easy to edit compared to patching binaries in a hex editor, the report said.

A similar "attack" was also used on Microsoft's own Minesweeper. This app's interface is written in XAML, Microsoft's XML language for user interfaces. The XAML files are written in plain text as part of the application's package and can also be modified using Notepad. The hacker can thus make the ad panel hidden from view – removing might actually break the app, according to the report.

Another example offered by Angel was Soulcraft. Unlike the prior two, its modification was slightly more complex. Soulcraft uses in-game currency which is purchased using real money, and stores this information locally along with the user's encrypted profile. This information can't be edited "casually", but the Soulcraft app itself reportedly has everything you need to decrypt, modify and then re-encrypt the profiles.

In the demonstration, Angel used Soulcraft's own application libraries to load and decrypt a profile, update the amount of currency, and then re-encrypt the profile. By doing this, hackers can bypass the in-app purchasing system and dump loads of gold in their account without actually having to shell out real money.

Ars points out that to prevent piracy and the spread of malware, Microsoft is preventing side-loading by requiring all Windows Store apps to be digitally signed by Microsoft, or by an enterprise certificate for corporate applications that are distributed privately. Application binaries can't be modified – or hacked – without invalidating their digital signatures. But the XML data files aren't covered under the same signature-based umbrella.

"Storing digital signatures for data files and verifying those signatures before each file is loaded would not be tremendously difficult," Ars writes. "After all, Microsoft already does something comparable for HTML and JavaScript applications. For plain data, as used by Ultraviolet Dawn, the developer could in principle implement their own scheme to perform this integrity checking. But that's harder to do for XAML, as XAML is predominantly used by system libraries. A Microsoft-provided solution could cover both situations equally."

To read the full report, head here. It's rather lengthy, and goes into the realm of DRM and what Microsoft should do to prevent tampering of Windows Store apps. As of this writing, Justin Angel's blog is still offline.

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Display all 34 comments.
This thread is closed for comments
Top Comments
  • 26 Hide
    hoofhearted , December 16, 2012 12:26 PM
    These crappy apps sound like they got what they deserved. Having to spend real money for in-game currency is a ripoff in itself. We need to go back to when you pay one price and the software is yours.
  • 22 Hide
    A Bad Day , December 16, 2012 12:24 PM
    lengcaifaino one will bother to hack ur apps if its completely free of $$ or ads or etc


    There's no such thing as free lunch. Developers are also humans, they need to put food on the table as well.
  • 13 Hide
    lengcaifai , December 16, 2012 12:19 PM
    no one will bother to hack ur apps if its completely free of $$ or ads or etc
Other Comments
  • 13 Hide
    lengcaifai , December 16, 2012 12:19 PM
    no one will bother to hack ur apps if its completely free of $$ or ads or etc
  • 22 Hide
    A Bad Day , December 16, 2012 12:24 PM
    lengcaifaino one will bother to hack ur apps if its completely free of $$ or ads or etc


    There's no such thing as free lunch. Developers are also humans, they need to put food on the table as well.
  • 26 Hide
    hoofhearted , December 16, 2012 12:26 PM
    These crappy apps sound like they got what they deserved. Having to spend real money for in-game currency is a ripoff in itself. We need to go back to when you pay one price and the software is yours.
  • -5 Hide
    victorintelr , December 16, 2012 12:27 PM
    Not that unexpected thinking of the way Windows is available and "unlocked" compared to Android and iOS. Though is important to bring this to the table so it can be fixed.
  • 4 Hide
    nebun , December 16, 2012 12:32 PM
    this is what happens when apps get ported from smart-phones to workstation environments....this is what i call laziness....Microsoft needs to have separate teams to develop apps for smart-phones and apps for workstations
  • -4 Hide
    tburns1 , December 16, 2012 12:42 PM
    It would really suck if the *real* reason M$ made Windows 8 was to save them development money. One platform fits all.
  • 4 Hide
    jaquith , December 16, 2012 12:43 PM
    First Windows 8 was hacked to be free so what's the surprise that some of the apps follow suit.
  • 0 Hide
    A Bad Day , December 16, 2012 1:02 PM
    hoofheartedThese crappy apps sound like they got what they deserved. Having to spend real money for in-game currency is a ripoff in itself. We need to go back to when you pay one price and the software is yours.


    EA's CEO thinks otherwise: http://www.youtube.com/watch?v=ZR6-u8OIJTE

    CEO's speech to his shareholders: "When you are six hours into playing Battlefield and you run out of ammo, and we ask you for a dollar to reload, you're really not that price sensitive at that point... We're not gouging, but we're charging... I think it's a great model, and it represents a better future for the industry..."
  • 0 Hide
    kellybean , December 16, 2012 1:25 PM
    Imagine that
  • 10 Hide
    kinggraves , December 16, 2012 1:34 PM
    lengcaifaino one will bother to hack ur apps if its completely free of $$ or ads or etc


    No one will bother to MAKE apps if it's completely free of any profit gain. I see the kids are up early today. People work for money. If you want to make apps for free from a dumpster since you can't pay rent, be my guest.

    A Bad DayEA's CEO thinks otherwise: http://www.youtube.com/watch?v=ZR6-u8OIJTECEO's speech to his shareholders: "When you are six hours into playing Battlefield and you run out of ammo, and we ask you for a dollar to reload, you're really not that price sensitive at that point... We're not gouging, but we're charging... I think it's a great model, and it represents a better future for the industry..."


    This on the other hand is a problem. Some AAA publishers want to charge you for everything. There's a simple solution, stop buying their products. Buy from the publishers who aren't pulling this garbage. The second part is just as necessary, stop pirating from companies who aren't screwing you over or they'll be the ones going out of business first.

    It's going to cost either way. They're looking for "new" ways to make profits because the consumer is forcing them to. Blockbuster titles cost a lot more money than they used to, yet the consumer can pirate and is willing to pay less. Garbage games sell on mobile platforms because of a low initial price. The consumers are telling them that they aren't willing to pay a high price initially, so the cost will have to come later.
  • 3 Hide
    freggo , December 16, 2012 1:43 PM
    A Bad DayEA's CEO thinks otherwise: http://www.youtube.com/watch?v=ZR6-u8OIJTECEO's speech to his shareholders: "When you are six hours into playing Battlefield and you run out of ammo, and we ask you for a dollar to reload, you're really not that price sensitive at that point..."


    I can see it now; you are 6 hours into working on your year end accounting spreadsheet when a message pops up that you need to purchase more M$-credits while Excel locks your data for the time being :-)

    I bet someone at M$ is watching this development and is putting on his/her thinking cap.



  • 10 Hide
    A Bad Day , December 16, 2012 2:06 PM
    I really don't think MS wants to kill off their major customer base: other companies that use Excel

    EA on the other hand, it's full of people that don't know what is a computer game.
  • 3 Hide
    wemakeourfuture , December 16, 2012 2:21 PM
    lengcaifaino one will bother to hack ur apps if its completely free of $$ or ads or etc


    There are tonne of apps that are free but you get bonuses by paying. People will hack to get these bonuses for free.

    When I hear "People won't hack", that's the biggest load of you know what rationale to justify poor security.
  • 2 Hide
    wemakeourfuture , December 16, 2012 2:23 PM
    hoofheartedThese crappy apps sound like they got what they deserved. Having to spend real money for in-game currency is a ripoff in itself. We need to go back to when you pay one price and the software is yours.


    Free apps with in-game purchases are the new trend. Its hugely popular in Asia and the mobile revolution of the last 5 years has seen many employing this revenue model to make significant money.

    Sorry, justifying poor security by saying, "Lets not use this business model" is frightfully poor judgement.
  • 2 Hide
    ojas , December 16, 2012 3:01 PM
    Well in their press conference they didn't mention anything related to app security (nor did they say if banking apps would use stuff like SSL), so i'm not particularly surprised.
  • 2 Hide
    damianrobertjones , December 16, 2012 3:12 PM
    Toms: You're a bit LATE with this article! Keep up now
  • 1 Hide
    damianrobertjones , December 16, 2012 3:13 PM
    hydac7nobody will bother with the ugly app system nor with windows 8 at all , relax people


    I have a feeling that you're very wrong.
  • -7 Hide
    damianrobertjones , December 16, 2012 3:14 PM
    I can No longer trust the comments system of Toms as the SAME user is simply changing their username to post multiple posts which literally fills the comments system with utter negative posts.

    Please resolve the issue or... well, there's always Engadget and Anandtech.
  • 3 Hide
    madjimms , December 16, 2012 3:39 PM
    I love how people think devs are "entitled" to money. What ever happened to make a program simply because it needed to be made? You'll see thousands of open source/completely free programs that developers worked hard as hell on & didn't ask for a penny (unless someone wanted to donate).
Display more comments