95

Windows Phone Store weakness makes exclusive apps accessible to all, we explain how

Earlier today, we reported on a Windows Phone Store weakness allowing savvy users to download Nokia-exclusive applications onto non-Nokia hardware (well, try to at least, as often those apps are API dependent). But we did a little more digging and discovered the weakness doesn't just cover Nokia apps. You can manipulate the Store into providing any device or operator-exclusive app for your device.

The root cause appears to lie in the fact that the Store makes app metadata and availability decisions based on URL query parameters that are sent via HTTP and can easily be tampered with. For example, when viewing Samsung’s exclusive RSS Times app a Nokia device, your Windows Phone makes a request similar to the one below:

GET /v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?os=8.0.10211.0&cc=US&oc=&lang=en-US&hw=234879123&dm=RM-820_nam_canada_246&oemId=NOKIA&moId=TRF-US&cf=99-1 HTTP/1.1

Upon receipt of this request, the Store responds with a bunch of XML-formatted data describing the requested app. One of the elements in the reply – isAvailableInStore – controls the visibility of the Install button in the Store app. In this case, because we told the Store we’re using a Nokia-branded device (see the oemId parameter?), a Boolean false is returned. The Install button is disabled; we can’t install the app.

But what if we replaced that oemId value with say, SAMSUNG?

Using the Fiddler Web Debugger and a simple AutoResponder rule, we successfully spoofed a Samsung Windows Phone and installed RSS Times with no problems.

It’s not immediately clear how Microsoft will respond to this issue. We suspect Microsoft can remotely reconfigure Store app behavior, forcing communication through more secure means (e.g. HTTPS). But an increasingly chatty Store app on Windows Phone could impact Store performance and/or incur additional bandwidth costs on both ends of the pipe. We'll see.

Stay tuned and we’ll let you know what we hear from Microsoft.

4
loading...
0
loading...
0
loading...
0
loading...

Reader comments

Windows Phone Store weakness makes exclusive apps accessible to all, we explain how

95 Comments

No conspiracy, just providing some technical details for savvy folks to repro in a safer environment. (No one should use a proxy they don't have control over, that's just dangerous.)

You simply can't... its not a downloadable app, its built in to HTC Windows Phones. Even if you were to get the app to enable the tile, it requires drivers unique to HTC phones to even function.
 
TL;DR Without a LOT of work, it won't happen.

It is downloadable... It's called "HTC Hub". I can uninstall it and get it from the HTC section of the store again. Well it doesn't show the time, just a double-wide weather tile. So what is this clock tile? Haha on WP7 it shows the weather, maybe different on WP8?

The clock/weather tile is unique to WP8 HTC phones. The downloadable HTC Hub is just a news/weather/HTC app highlight hub. Its available on both WP7/8 but the weather/clock tile that everyone here is asking about is exclusive to HTC Windows Phones for the reason I mentioned above.

Okay my apologies :) I had no idea you were as involved with the WP community as you were.
(Still have no clue who the other dude is though).

WPCentral's snitch in China who has brought you guys a fair share of leaks and interesting rumors. And this dude is not even recognized. This dude is sad...

Well it's nice to meet you... sorry for everyone else exploding over the article you posted earlier. I didn't see an issue with the post and its always nice to see new posts from different writers.

Rafael Rivera has been affiliated with WPCentral for a long time and is an incredibly qualified WP dev. (As I remember, he did a lot of the developer-related postings before Rogue Code came around.) Also, this is very legitimate reporting, even if it's not appealing to all audiences.

Rafael is a well-known and trusted Windows blogger. He has very strong technical skills and know-how and was one of (maybe the first?) people to create custom UXstyle patches for Windows XP, Vista, etc. I read his personal blog every so often as well. He's a trusted source for information and is a good asset for WPCentral to have. Check his blog at withinwindows.com.

They'll probably fix this right away, but nothing about that Other storage fix. I mean it's not too bad for me, but I feel bad for some who have like 10GB. Even the Nokia Storage Check app doesn't work all the time.

Hah, I gave in at around 11GB last week. The storage hasn't grown much since then though, so maybe I got lucky.

I think other serves a purpose for one thing or another, but it definitely shouldn't be more than a couple of gigs.

Yeah, because using an auto response trick to make a digital gate open and allow you to obtain a few kb of data that's free is definitely theft, and not, you know, just good computing skills.

No. Data Sense is a WP8 system component, not a Store app. Just wait for GDR2, which supposedly brings it to everyone, regardless which carrier. It's not very far away.

 

Or flash the ROM from a Data-Sense-enabled carrier onto your device. Technically doable, very troublesome, could lead to disastrous concequence. Bricks a phone faster than you can say "brick" should any tiny step goes wrong.

A few quick thoughts on how Microsoft can patch this: 1. Encrypted communication to prevent parameter changing by manual means; 2. Do a fact check on both device model and OEM ID, making it harder to come up with a correct combination; 3. Check OEM and device model again when the actual downloading session is about to start. Too much of carelessness is going on, people assuming HTTP requests "of course" can't be modified by average users, a device with a downlowd button served "of course" is from the intended OEM.

Or OEMs could take matters intotheir own hands, adding model check functions into all their exclusive apps, performed upon every single launch. That would be very effective, I reckon. It's impossible to fake device model and OEM name of a Windows Phone witnout jailbreaking it. And if the phone is jailbroken indeed... well there's no way stopping it doing anything its owner wants...

Was about to ask how Apple and Google are dealing with similar problem when realized Apple does NOT have any OEM but itself and Google doesn't care shit about app ecosystem...

 

Got a feeling that Windows Store on Windows 8 and Windows RT might have the same problem. Although disguising device identity would be pointless on that front. Got a VAIO and a Surface and a Dell here. And the stuff in "OEM exclusivr" sections are to be described as uninteresting at best...

Apple doesn't have any OEM and all Android OEM preload all the crap as bloatware impossible to uninstall, except by flashing the phone.
"But what if some OEM whants to update their bloatware or add new apps?"
That would be a tuff question if Android OEMs keept supporting their phones after release but usualy that's not the case. And the only part Google cares about Android is the amazing piece of Spyware the've buit so OEM are able to do anything they want.
 

All Microsoft or the manufacturers need to do is have XAP files check the device they are being installed on before installing, if it's not the right manufacturer it would just throw up an error message. 

he will probably not tell you since everyone is already criticizing just because he written this.
but you can learn about how to do it by yourself reading the links (Fiddler).
if you are very lazy, I've read some tutorial in the WPCentral Forum by a guy which avatar is a orange squirrel but I don't know the link or name.

Only works for WP7 I guess...at least it says that it doesn't support my version of Windows Phone. Could that be gotten around as well?

About the only way is to have a unlocked phone and find someone who "hacked" it from the marketplace then sideload it... I tried a few apps that were WP7 apps only on my unlocked WP8 device with questionable results.
Some worked fine for the most part but, at some levels it would not recover...

Not sure if describing exactly how to exploit the system is the right thing to do in this situation. Most "good-willed" hackers alert the person they've hacked and simply announce there is a way to exploit it without giving links to tools that can be used to do the same.

+1, not impressed with WPCentral's behavior at all in this. Perhaps Nokia should rescind them their privileges to the next few Nokia exclusive events, then see how they like it.

While i agree with your first statement, I don't think blockign them from nokia exclusive events would do much of anything positive for nokia since WPcentral is often called "Nokia Central" . That said, I am quite disappointed with the reporting of this.

It's one thing to report and it's another thing to actually instruct people on how to do this...this goes for Nokia, Samsung or HTC products

Big deal we use to mod our windows mobile phones with apps from other phones back in the day. Big deal people can do what they want. Ohhh such a big deal that they posted the how too. Omg... Omg!

Manufacturers might start charging for their exclusive apps instead of making them free to their own phones, so yeah, could be a big deal.

I agree. No need to tell everyone how they can get around the system and steal software. I hope MS and the OEMs have a way to pull/block the apps from working.

I've successfully replicated the same thing to attempt to install HTC Hub as I have the direct link but the app only supprts 720P and 480x800. Bummer. Can't install. Lemme try Samsung
 

Do you mind posting how you did it ? just for information sake ? i mean a lot of people now know it and i dont think its anything illegal ! 

Its a really complicated process. Click here to learn how to connect your Windows Phone with fiddler2 and from there, click a link to an OEM app. You will find this link in fiddler2 that starts with marketplaceedgeservice.windowsphone.com that is the same as the one Rafael posted. Click that listing, click the auto-responder tab and at the bottom, there are 2 text fields. Enter the original one (e.g if u are a Samsung user, the listing that has te oemid as SAMSUNG) at the first field and the OEMID you want (e.g the same values as before but change the OEMID to the manufacturer you want. OEM ids are as follows: LGE = LG, SAMSUNG = Samsung, NOKIA = Nokia, HTC = htc. Note you can use this method to download carrier specific apps too by changing the moID value.) After changing the values and enabling auto-response, reload the link. You can now download apps from the OEM of your choice.

WP8Expert, Thanks for a detailed procedure. 
 
I tried, but when I click on the link to OEM app, not always it takes me to marketplaceedgeservice.windowsphone.com. I tried multiple times, and it does take me sometime there. I created this autoresponder - 
 
EXACT:(http)://marketplaceedgeservice.windowsphone.com/v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?os=8.0.10211.0&cc=US&oc=&lang=en-US&hw=520170499&dm=RM-820_nam_att_100&oemId=NOKIA&moId=att-us&cf=99-1
EXACT:(http)://marketplaceedgeservice.windowsphone.com/v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?os=8.0.10211.0&cc=US&oc=&lang=en-US&hw=520170499&dm=RM-820_nam_att_100&oemId=SAMSUNG&moId=att-us&cf=99-1
 
Does this look correct? After adding this one into auto-responder, the app is still not available for download on my device. Can you tell me if I am doing anything wrong... Thanks
 

Try again but this time, tap the "This app is not available" thingy. It most likely will tell you that it cannot install cuz of screen limitations. If it still doesn't work, remove the EXACT: from the address. If it still doesn't work, PM me and I will help.

question where can i get the request generated by my phone in store, I Get
GET /en-us/store/app/rss-times/e7fd6b61-a095-4b06-9fba-005cc9b09267 HTTP/1.1
Kinda Clueless :/ help

What is the moID value for T-mobile USA? I want to put the T-Mobile account app on a Verizon HTC 8X.

Yeah, I wasn't able to download HTC's Flashlight app, or Samsung's MiniDiary app for the same reason. :(

Hi, can someone advise if its possible to utilise this to download wp7 exclusive "rabbids go phone" on my lumia 920 by fooling it to think its a wp7?

that one is a big no. I have a few apps and games that I lost from moving over from a Wp7 device to a Wp8 device...

Is there a clear step by step directions to do this... I have a Lumia 928 and I **really** miss having my marketplace changer from my unlocked WP7.8 device..
I want ...
I'm a musician - Piano - from LG's collection (my kid loves that app)
and
HTC's flashlight app...
 

I want Samsung apps on my Nokia so give me the method please ? Or a proxy and I'll follow the steps from the guide