A recent blog post published by Nokia engineer (and former Microsoft employee) Justin Angel has been either knocked offline due to a high volume of traffic, or taken down by Microsoft due to its contents. Why? Because he's discovered numerous issues surrounding apps sold on the Windows Store. The unauthorized conversion of trial apps into full versions, the modification of the prices of in-app purchases, and removal of embedded advertisements are just a few unearthed treasures.
According to Ars Technica, the focus of Angel's Windows Store examination was on games, arguably the most popular category in any app store. Game apps offer a variety of business models that developers are currently using like full retail, ad-supported free offerings, in-app purchasing and free demos.
The report throws up several examples on how apps can be manipulated. In one case with Ultraviolet Dawn, data files containing the prices of various upgrades could be edited with Notepad. Thus, the "hacker" could cheapen these upgrades and make the in-game currency last a lot longer than normal. Using XML to store this kind of data makes it extremely easy to edit compared to patching binaries in a hex editor, the report said.
A similar "attack" was also used on Microsoft's own Minesweeper. This app's interface is written in XAML, Microsoft's XML language for user interfaces. The XAML files are written in plain text as part of the application's package and can also be modified using Notepad. The hacker can thus make the ad panel hidden from view – removing might actually break the app, according to the report.
Another example offered by Angel was Soulcraft. Unlike the prior two, its modification was slightly more complex. Soulcraft uses in-game currency which is purchased using real money, and stores this information locally along with the user's encrypted profile. This information can't be edited "casually", but the Soulcraft app itself reportedly has everything you need to decrypt, modify and then re-encrypt the profiles.
In the demonstration, Angel used Soulcraft's own application libraries to load and decrypt a profile, update the amount of currency, and then re-encrypt the profile. By doing this, hackers can bypass the in-app purchasing system and dump loads of gold in their account without actually having to shell out real money.
Ars points out that to prevent piracy and the spread of malware, Microsoft is preventing side-loading by requiring all Windows Store apps to be digitally signed by Microsoft, or by an enterprise certificate for corporate applications that are distributed privately. Application binaries can't be modified – or hacked – without invalidating their digital signatures. But the XML data files aren't covered under the same signature-based umbrella.
To read the full report, head here. It's rather lengthy, and goes into the realm of DRM and what Microsoft should do to prevent tampering of Windows Store apps. As of this writing, Justin Angel's blog is still offline.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
no one will bother to hack ur apps if its completely free of $$ or ads or etcReply
lengcaifaino one will bother to hack ur apps if its completely free of $$ or ads or etcReply
There's no such thing as free lunch. Developers are also humans, they need to put food on the table as well.
Failed platform, who cares about whether apps are easy to hack or not.Reply
These crappy apps sound like they got what they deserved. Having to spend real money for in-game currency is a ripoff in itself. We need to go back to when you pay one price and the software is yours.Reply
Not that unexpected thinking of the way Windows is available and "unlocked" compared to Android and iOS. Though is important to bring this to the table so it can be fixed.Reply
this is what happens when apps get ported from smart-phones to workstation environments....this is what i call laziness....Microsoft needs to have separate teams to develop apps for smart-phones and apps for workstationsReply
It would really suck if the *real* reason M$ made Windows 8 was to save them development money. One platform fits all.Reply
First Windows 8 was hacked to be free so what's the surprise that some of the apps follow suit.Reply
hoofheartedThese crappy apps sound like they got what they deserved. Having to spend real money for in-game currency is a ripoff in itself. We need to go back to when you pay one price and the software is yours.Reply
EA's CEO thinks otherwise: http://www.youtube.com/watch?v=ZR6-u8OIJTE
CEO's speech to his shareholders: "When you are six hours into playing Battlefield and you run out of ammo, and we ask you for a dollar to reload, you're really not that price sensitive at that point... We're not gouging, but we're charging... I think it's a great model, and it represents a better future for the industry..."