Microsoft's new Marketplace security reportedly cracked already

Here we go again. A couple of days before the Windows Marketplace for Mobile officially launched in October, XDA Developers member Chainfire published his workaround to Microsoft's minimal security measures. When you load an app from the Marketplace, it's done transparent to the user, with no CAB file left behind.

Fast forward to today, and Chainfire's let us know that he's bypassed Microsoft new "advanced" security, which was rolled-out along with Web access to the Marketplace. New is the use of license keys that can be baked into apps. These keys are controlled by Microsoft, not the developer. Says Chainfire:

This new "advanced" protection was released today by Microsoft, and as far as I know no app available already uses it at the time of this writing.So I got the code snippets you are supposed to put in your app and it was simply jawdroppingly WTF. While it was not exactly easy to beat, it took me less than two hours to devise a "generic" hack, without modifying any files on the device. (Well hey, at least it's better than the 5 minutes it took for the "basic" protection, right?)A "generic" hack? Yes, by this I mean that this single hack (actually, running an EXE in the background) will completely bypass the entire code snippet provided by Microsoft that is supposed to check and validate your license code, for all Marketplace apps that use this "advanced" protection.

Indeed, that's no good. But Chainfire says he's no Robin Hood, stealing from the rich and giving to the rest of us.

I will not publish the code that performs this hack, so don't ask. My goal is not to crack Marketplace apps, my goal is to get MS off their ass and allow us to use our own licensing systems, like the good little resellers they're supposed to be. I will tell you that it has to do with runtime patching the crypto API, but that's it. All in all, I don't think it will take long for the warez people to duplicate this hack.

Follow along in the XDA thread, and let's hope, for developers' sake, that things get worked out.

Thanks, Chainfire!

Phil Nickinson

Phil is the father of two beautiful girls and is the Dad behind Modern Dad. Before that he spent seven years at the helm of Android Central. Before that he spent a decade in a newsroom of a two-time Pulitzer Prize-finalist newspaper. Before that — well, we don't talk much about those days. Subscribe to the Modern Dad newsletter!

9 Comments
  • Am I the only who thinks that this whole marketplace was a bad idea to begin with? Many screamed and kicked for a WM app store, now its here, people are complaining that you can't install into SD card... well if you install into SD card, you can use app in another WM phone you insert it to. Now we have developers complaining about piracy... demanding better security... IMO all this complaining is going to push MS to eventually follow iPhone app store model... pretty soon we all need to "jailbreak" our WM phones just to "loosen" up all this security. I think we are setting ourselves (WM followers) up for failure...
  • I disagree. (1) Installing apps to the SD card does not beat any copy protection, so it's silly you can't. Many apps still don't work without their registry entries, or the same device id, etc. You can just as well copy/paste it from your Program Files folder. There is no good reason not to allow installation to SD card, as far as I can see. (2) I think you're missing Chainfire's point completely. He is not complaining the copy protection is weak, or demanding stronger copy protection. If you read between the lines, he's actually complaining that developers cannot use their own licensing schemes, like is possible with pretty much every other reseller out there. It's a clear case of Microsoft not offering the bare minimum standard set by the webshops. Instead of this, they offer you a "better" protection which doesn't just (apparently) fail, but fails completely for all. It's comparable to using SecuROM or similar things on a CD-ROM game. It just doesn't do anything worthwhile for either the consumers or the developers, as there are generic patches out there, but it does cost time and money!
  • (1) Yes many apps won't work. The problem is many others WILL work. (2) "my goal is to get MS off their ass and allow us to use our own licensing systems" - chainfire... Here's why I think this is not going to work for the marketplace model: The marketplace stems from the idea of ease. Most consumers have no idea of the existence of current online app stores. Now imagine that you were one of these consumers (obviously you are not), and you have just purchased an app from your phone. How disappointed would you be to find out that, instead of instant access to your new purchased app, you have to contact the developer for a regkey or figure out how you are going to activate your app. Worse yet, have you ever tried to get a regkey from a developer, only to find out that it's friday night. No one is at work. So you have to wait till monday to get a return email for that regkey. As a store, MS is ultimately responsible for what they sell. MS needs to have a single, effective way to distribute license of every app.
  • ninjaap, you got it 100%! It's sad there seem to be so few people out there who are smart enough to try and understand Marketplace from the perspective of an average (non-tech savvy) user. There are more aspects that MS has to take into account than just the wishes of some geek coders ;-)
  • It seems - like pretty much everybody, including the news sites - you do not grasp the thought behind it. There would be _no_ difference for the user. The user would _not_ have to request codes from developers manually, the switching devices problem or flashing a new ROM would _not_ be a reason to have to do this either. Marketplace has all the needed parts in place, it is the method of generating and verifying the registration key itself that is the problem, _not_ the way it is distributed by Marketplace. The whole thing can be fixed _without_ the user ever noticing _any_ difference at all versus the current situation. Yes, that will require some smart coding on Microsoft's side, but it is _easily_ possible. Again I want to stress that there is no difference needed in the user experience.
  • I think that setting up a store that is accessible from the phones is a great idea. Gives all developers access and exposure to the market. Only thing that worries me is when they come up with a way to lock down the phone like they do an iPhone or Crackberry. I love the fact that I can customize my TP2 all the ways I can. Hate to see that go away for a little more exposure...
  • That is exactly what I am afraid of...
  • What surprises me about all this is that everyone's acting like installing apps from an app store is some newly formed idea. Yes Apple's store is locked in with it's phone and iTunes. But what about Android and Palm? They have no problems with their app stores and security. And on the Android front there is no iPhone-ish lock-down. Hence, what's the real problem? What do Android and Palm have in common? They both are running on top of Linux and hence are subject to it's security model (along with with framework each puts on top of it). Perhaps it's time for Microsoft to completely revamp it's underlying architecture and address the issues of the modern world instead of the one that existed when Windows CE was released.
  • Yes,great.I love the article, I have the same belief with you,so let me introduce the area to you.Now vivienne westwood Jewellery become more and more popular within all kind of people. Juicy couture is a kind of juicy jewelry . It won a good reputation. Vivienne westwood often held its regular discount activities,such as vivienne westwood jewellery ,juicy jewelry and fashion vivienne westwood jewellery earrings so on.In these activities vivienne westwood sale got great success. juicy couture consists of four main aspects, vivienne westwood necklace and vivienne westwood bracelet,vivienne westwood earrings ,vivienne westwood rings,vivienne westwood pins,vivienne westwood cufflinks,vivienne westwood sale,vivienne westwood online ,vivienne westwood uk.vivienne westwood necklaces, vivienne westwood earrings, vivienne westwood bracelet , vivienne westwood rings ,vivienne westwood earrings,vivienne westwood pins,vivienne westwood cufflinks and vivienne westwood sale,cheap vivienne westwood.
    vivienne westwood ,vivienne westwood jewellery series are worthwhile than other juicy couture charms coutures. They have a lot of vivienne westwood jewellery,for example vivienne westwood necklaces, vivienne westwood earrings, vivienne westwood bracelet , vivienne westwood rings ,vivienne westwood earrings and vivienne westwood sale. Vivienne westwood jewellery isvivienne westwood necklaces, vivienne westwood earrings, vivienne westwood bracelet , vivienne westwood rings ,vivienne westwood earrings,vivienne westwood pins,vivienne westwood cufflinks and vivienne westwood sale a new jewellery brand,it include all vivienne westwood cufflinks ,such as vivienne westwood online , vivienne westwood necklaces, vivienne westwood jewellery ,vivienne westwood and vivienne westwood pins and vivienne westwood sale and vivienne westwood uk ,cheap vivienne westwood so on .We assure you of our best services at all times.