A recent blog post published by Nokia engineer (and former Microsoft employee) Justin Angel has been either knocked offline due to a high volume of traffic, or taken down by Microsoft due to its contents. Why? Because he's discovered numerous issues surrounding apps sold on the Windows Store. The unauthorized conversion of trial apps into full versions, the modification of the prices of in-app purchases, and removal of embedded advertisements are just a few unearthed treasures.
According to Ars Technica, the focus of Angel's Windows Store examination was on games, arguably the most popular category in any app store. Game apps offer a variety of business models that developers are currently using like full retail, ad-supported free offerings, in-app purchasing and free demos.
The report throws up several examples on how apps can be manipulated. In one case with Ultraviolet Dawn, data files containing the prices of various upgrades could be edited with Notepad. Thus, the "hacker" could cheapen these upgrades and make the in-game currency last a lot longer than normal. Using XML to store this kind of data makes it extremely easy to edit compared to patching binaries in a hex editor, the report said.
A similar "attack" was also used on Microsoft's own Minesweeper. This app's interface is written in XAML, Microsoft's XML language for user interfaces. The XAML files are written in plain text as part of the application's package and can also be modified using Notepad. The hacker can thus make the ad panel hidden from view – removing might actually break the app, according to the report.
Another example offered by Angel was Soulcraft. Unlike the prior two, its modification was slightly more complex. Soulcraft uses in-game currency which is purchased using real money, and stores this information locally along with the user's encrypted profile. This information can't be edited "casually", but the Soulcraft app itself reportedly has everything you need to decrypt, modify and then re-encrypt the profiles.
In the demonstration, Angel used Soulcraft's own application libraries to load and decrypt a profile, update the amount of currency, and then re-encrypt the profile. By doing this, hackers can bypass the in-app purchasing system and dump loads of gold in their account without actually having to shell out real money.
Ars points out that to prevent piracy and the spread of malware, Microsoft is preventing side-loading by requiring all Windows Store apps to be digitally signed by Microsoft, or by an enterprise certificate for corporate applications that are distributed privately. Application binaries can't be modified – or hacked – without invalidating their digital signatures. But the XML data files aren't covered under the same signature-based umbrella.
"Storing digital signatures for data files and verifying those signatures before each file is loaded would not be tremendously difficult," Ars writes. "After all, Microsoft already does something comparable for HTML and JavaScript applications. For plain data, as used by Ultraviolet Dawn, the developer could in principle implement their own scheme to perform this integrity checking. But that's harder to do for XAML, as XAML is predominantly used by system libraries. A Microsoft-provided solution could cover both situations equally."
To read the full report, head here. It's rather lengthy, and goes into the realm of DRM and what Microsoft should do to prevent tampering of Windows Store apps. As of this writing, Justin Angel's blog is still offline.
