Microsoft's new Marketplace security reportedly cracked already

Here we go again. A couple of days before the Windows Marketplace for Mobile officially launched in October, XDA Developers member Chainfire published his workaround to Microsoft's minimal security measures. When you load an app from the Marketplace, it's done transparent to the user, with no CAB file left behind.

Fast forward to today, and Chainfire's let us know that he's bypassed Microsoft new "advanced" security, which was rolled-out along with Web access to the Marketplace. New is the use of license keys that can be baked into apps. These keys are controlled by Microsoft, not the developer. Says Chainfire:

This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.

Indeed, that's no good. But Chainfire says he's no Robin Hood, stealing from the rich and giving to the rest of us.

I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.

Follow along in the XDA thread, and let's hope, for developers' sake, that things get worked out.

Thanks, Chainfire!

Phil Nickinson

Phil is the father of two beautiful girls and is the Dad behind Modern Dad. Before that he spent seven years at the helm of Android Central. Before that he spent a decade in a newsroom of a two-time Pulitzer Prize-finalist newspaper. Before that — well, we don't talk much about those days. Subscribe to the Modern Dad newsletter!