Security concerns

Security researcher outs another exploit in Windows 8.1, 7

Security concerns

Researcher publishes unpatched vulnerability in Windows 8.1

Cellular security

T-Mobile quietly upgrades 2G network security

We teach you

How Microsoft Account two-step verification works

Here we go again

Dropbox accounts hacked, service not to blame for leak

Hypothetical threat watch

New malware exploits USB, but isn't really that scary

Microsoft News

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Microsoft News

Microsoft restores control of seized domains to No-IP

Windows Apps

1Password for Windows gets much needed 4.0 update


Using strong passwords and keeping your online self secure

General News

First smartphone 'kill switch' bill in the US passed by… Minnesota

Windows Phone Apps

Secure your passwords and critical information with Enpass Password Manager

General News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Windows Phone Apps

John McAfee's Chadder aims to keep your messages private, lands on Windows Phone before iOS


Microsoft issues security patch for Internet Explorer

Microsoft News

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

Windows Phone News

New images reveal an overhauled Store for Windows Phone 8.1, includes automatic app updates and more

How To

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

< >

Windows Phone Marketplace app-security cracked: Proof-of-concept [Video]

Disclosure: Well before the publication of this article, WPCentral contacted Microsoft's Brandon Watson directly about the breach and we are cooperating with Microsoft in any way we can. Microsoft may be providing a statement to us addressing this issue, which we will of course post in its entirety if they choose to do so.

Yesterday we reported on a controversial "whitepaper" over at XDA (since pulled) which gleaned publicly available information to outline how the WP7 Marketplace could be cracked. To some, this was new. For others, it was very old. And for others still, it was information that was plain incorrect.

For developers, the weakness in Microsoft's DRM for Windows Phone 7 applications has been well known for quite some time, and there have been calls for Microsoft to address these concerns (see here in their forums).

Since then, a "white hat" developer has provided WPCentral with a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released (please don't ask). It is important to note that this was all done within six hours by one developer.

After the break, you can see a video of the application (called "FreeMarketplace") in action, demonstrating how easy it can be to download any app from the Marketplace. While many will condemn us for "promoting piracy," we respectfully disagree. We have heard many complaints from developers about this weakness for months now and it is their right to know about the flaws in the system. We are confident Microsoft will work hard to implement a stronger DRM system, in part due to this proof-of-concept demonstration.

Tobias, technical adviser for this article, can be contacted via WPCentral


Reader comments

Windows Phone Marketplace app-security cracked: Proof-of-concept [Video]


If you have informed MS are working with them as you say, why not let them attempt to fix the issue before posting this video? What exactly is the point apart from making devs fearful and educating hackers?

Because MS has known about this for months already with little or no movement let alone acknowledgement of the problem. This isn't new. It's an attempt to bring focus and urgency to the issue.

Many have informed MS zillions of times. It's not new at all. It's a huge design flaw that needs to be addressed! I, as a dev, welcome the effort and I hope things will speed up now.

The only way MSFT will step up quickly is if you call them out on their flaws. Look I love MSFT I got my Mozart they day they came to the Telstra shop. I got friends who are making torrent apps and their on eReader and RSS feed apps and I wouldn't want them to lose out on money! If you stay quite about something it won't go away. Bad publicity is what is going to change this situation and make MSFT fix the problem which will in turn make GOOD publicity.

Which is something MS asked all devs to do a month or so ago. The problem is that there wasn't a obfuscate tool for free out from the start, something MS should have covered.

Ya, now, my point is that those weren't out from day 1 when they should have been, unless I remember it wrong. MS should've had it's own free obfuscation tool in the WP7 SDK IMO. But it doesn't.

It's not just about protecting the code, but I said it before and I say it again, obfuscation sucks and is no solution for securing (Windows Phone) apps. The Dotfuscator tool that Microsoft recommends can break your app. The highest level of obfuscations kills the performance of an app and therefore is a no go for most apps. Not to mention that all resources can't be obfuscated.

The best would be if Microsoft encrypts the XAPs during the certification process and decrypts them at the load on the device. That would be the best solution to protect the IP of the developers.

I remember scanning some of the threads over at MS' WP7 dev forums but it was honestly over my head and long enough ago that I had assumed they had been fixed. Understanding that piracy is inevitable, I hope this puts some additional pressure on MS to improve app security in the marketplace. Having used every other smartphone platform out there daily (Blackberry being the exception), I have to say WP7 is by far my favorite, even with all the shortcomings of 1.0. I'd hate to see it lose developer confidence this early.

I think this is using the developer tools, smiler to how the wonder-machine works from android side of things.

I can think of one way Microsoft may address the issue in part. Marketplace knows which apps you have downloaded to your phone and whether you bought it. It doesn't seem unreasonable to me that a minor change to Marketplace would allow for nuking cracked apps, giving you the option to buy them, simply charging you outright, or even going so far as to brick your phone.

You flamers are so out of line it is completely ridiculous, if it were up to me you would all be banned. This is a classic case of shooting the messenger.

Anybody sleazy enough to pirate an app somebody busted their hump making in their free time to sell for $5 already knows where to go for their piracy needs. All WPCentral is doing is their job: REPORTING THE NEWS.

If you don't like the news, go dig a hole and bury your head in it.