Windows Phone 7 and app piracy - closer than we think [Security Whitepaper]

Walking the fine line between black and white hat security, XDA member V@l€n has gone and posted a detailed "security whitepaper" on the state of app piracy in the Windows Phone Marketplace.

We almost hate to write on the topic since it will attract claims of supporting piracy,  but the fact is developers and Microsoft need to know just how vulnerable the platform is so that it can be improved on before it's a problem. And that's just it, right now there is no issue with app piracy for Windows Phone, but it is inching closer and once those few remaining hurdles are cleared, there will literally be a flood of pirated apps on the market.

But before we jump into all of that, lets detail exactly what is going on here. For better or worse, V@l€n has done a great job of outlining all the steps needed to make a ridiculous piracy campaign, showing all the necessary procedures that need to be cleared.

Follow us after the jump as we walk through this story...

As mentioned earlier, app piracy just does not exist yet in the Marketplace. But what V@l€n has done is given potential "black hat" developers a step by step guide on how to make such piracy happen. More importantly, V@l€n veers on advocacy here by wanting to "liberate" apps from Microsoft's "oppressive Featured Apps section" undermining his whiepaper's credibility in just preventing piracy. But putting aside judgment on motivation, lets look at the crux of the issue.

The steps needed to break down Microsoft's security is summarized as follows:

  • Download all the apps from the Marketplace: done (or can be done)
  • Seed those apps in a torrent for peer to peer distribution
  • Circumvent the 10 sideload app limit: done (see here)
  • Enable a disabled app: tricky, but can be done, no method to do it en masse
  • Get around code obfuscation (opens in new tab) (not mentioned by V@l€n, we'll do it for him)
  • Remove XAP security signature: needs work

Like we said, V@l€n doesn't seem aware that the 10-sideloaded app limit has already been breached, nor does he mention any potential use of code obfuscation which Microsoft is openly advocating and offering to developers for free.

Still, as can be seen above, the road to a completely open and hacked Marketplace is not that far off and in fact, seems within reach if and when more developers (black and white hat) begin tampering with the OS and development tools. None of this is unusual for any new OS and there is no 100% foolproof solution (iOS is cracked wide open and there is even a pirated app store for the platform that makes stealing software as easy as buying legit).

The real question is this: Is Microsoft prepared for this and do they have extra security features waiting in the wings to either prevent or quickly ameliorate any such security breach when it happens?

That we don't know and is what should concern commercial developers.

Source: XDA Forums; Thanks, V@l€n, for the info

Daniel Rubino

Daniel Rubino is the Editor-in-chief of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft since 2007 when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, laptops, next-gen computing, and for some reason, watches. Before all this tech stuff, he worked on a Ph.D. in linguistics, watched people sleep (for medical purposes!), and ran the projectors at movie theaters because it was fun.

  • Sorry Daniel. Reporting on the state of the Marketplace is one thing. Showing details as how it's being done and how wide spread it is makes it look exactly like you're supporting piracy. You're giving them free press at the end of the day. The casual user is not interested in alternative ways of downloading. The XDA community is and anyone who visits that forum is interested in articles like this and the last time I checked, WPCentral is not XDA. Putting a spin on the article as if you're hopeful that MS has a plan in place doesn't make up for the fact that your article does more good for the hacking or potential hacking community than it does for "hoping MS has a secondary security features" as you put it. Bad Article? Depends who's reading it. Bad journalism? In this case yes. Questionable intent of this article by author and the editing staff? HELL YES! Market Piracy is closer than we think? Maybe but I never thought about it until this article. Thanks for the heads up guys. I will be sure to check out XDA for the state of free apps for all.
  • @MistaWet @wpcentralisasshole Sorry guys, if you ever follow any forums in the public domain, this stuff IS known by many already. We're bringing in the open in the hopes that MS and developers can formulate a response. And don't be so naive. You honestly think that if we don't report it, it just doesn't exist? Piracy is not a problem? News flash: since writing this I've received a lot more info and guess what? Most of what is mentioned above *has* been done already. Developers need to know the state of black hat security is on Windows Phone. Pretending it doesn't exist is a fools logic.
  • @MistaWet @wpcentralisasshole You guys are over reacting. So what they reported on what someone would have to do. I read. Can I suddenly hack apps no. Hell do I have ANY idea where to begin no. People who are trying to hack WP7 now already know it's weaknesses and are already trying. People who would read this are more then likely people such as myself a consumer of media who have NO idea how any of this is done. And since no one has proven how piracy affect sale the running theory goes that people who pirate stuff were NEVER going to buy the product anyway.
  • @Federaly "Can I suddenly hack apps no. Hell do I have any idea where to begin no." You do now. All you had to do was read the article. "people who would read this are more then likely people such as myself a consumer of media who have no idea how any of this is done." What? Do you think people are born hackers? All you have to do is see the flood of newbies on XDA that all shout " Boy am I glad I found this site! I never knew this stuff was going on". As far as the sales comment goes it's not the point I was making. The point I was making speaks to the irresponsible nature of this article informing the "casual" user of the hacking communities efforts to break into the marketplace and especially how they do it. Like I said, a wannabe hacker or ROM thief appears on the scene everyday. No need for WPCentral to help spread the word and if they do, not give them the play book how to get started and where to go.
  • Sorry, but I am not buying this at all. Using MS simple obfuscation is definitely not going to protect your app. However, there are plenty of quality paid obfuscation products on the marketplace that will really obfuscate your application to the point of not being able to crack it. So let's back up a step there... And I do have to agree with the other comments above. Posting that it is an issue and that there are poorly written and poorly worded white-papers out there on the topic is one thing. Breaking it down into detail, and filling in the gaps for them? Then you're no better than the hacker themselves. Don't get caught up in this junk. Let's focus on the good WP is doing, and not promote the problems that COULD develop.
  • Sorry, I disagree. Once again, pretending these holes don't exist will not prevent piracy. Openness, discussion and out rage by developers will. I want you people to get mad, I want developers to be worried, I want them to demand better security from Microsoft. Just because some of you don't follow these things posted on well known and open public forums does not mean piracy will just vanish. And covering it does not mean that piracy will take over the marketplace. Don't shoot the messenger, save it for Microsoft.
  • Your argument is flawed. People can steal cable tv. It's much tougher these days than in the old analog days, but it still can be done. Does that mean Joe Consumer is going to do it? No. Does that mean the cable company doesn't know about it? No. But what do you expect? Nothing is hacker-proof. Anyone who believes that is just kidding themselves. It's fine to report that its an issue to be concerned about. But your argument makes it sound like its right around the corner, and I don't buy that.
  • "But your argument makes it sound like its right around the corner, and I don't buy that." Tune in tomorrow then and you'll change your opinion very fast.
  • What does that mean? You can steal digital cable TODAY. You can steal DirecTV TODAY. And according to Wired, you can listen in on GSM phone calls TODAY. So should we all stop using GSM phones because of that risk?
  • Security through obscurity is not security. For the platform to improve issues like this need to be revealed. Is the damage less if only elite uber crackers know about this? Are the cracking groups most likely to set up pirate app stores really hanging around a "consumer" web site like this to learn their trade? Let's not kid ourselves here. People are always trying to think of ways to get stuff for free - especially when there is some degree of price inflation on the WP7 marketplace vs. iOS/Android (as pointed out by reviews written about some apps). They don't have to read this article to come up with that idea.
  • I share the same sentiment as everyone who expressed their disapproval for this article. I also feel as though this is meant to deter developers from developing for the platform since this will effect them first. But I kind of feel conflicted as to why a blog site supposedly meant to mostly promote the platform would do that. At the same time, in light of all the news about 5000 apps in such a short time for a brand new platform and how significant that is, could be a nice thorn in the side of someone that favors another platform. I'm sure not everyone at WPC are required to use MS products... might we have a saboteur in our midst? I don't know the author's history, call me paranoid. The fact is that this issue was a well known flaw since before WP7 went RTM. Actually it's a flaw in the program language. I first read it from another blog site (and few others) in the late summer that spewed nothing but negativity about WP7 and this site in particular also had a Microsoft moniker (admittedly, they weren't handing-out the blueprints on exactly how to do it). Knowing that might be lending a helping hand to my paranoia. I hope I'm wrong. Also a fact - piracy occurs on every platform, software and media. MS and Universal, to name a few, know it's practically impossible to stop. Technology makes this a fact of life. So while I get the whole "informing the people" and "hoping MS fix this" spiel, this article, at least in its current form could do more harm than good.
  • Once again, not reporting or self-censorship is not something we practice here. Sorry if the news is bad but we feel that it is newsworthy. We are in contact with Microsoft on this issue and will have more on it tomorrow. A lot more.
  • Reporting is not the problem. We all like some good information. Knowing the Marketplace is close to being hacked and steps MS can take to prevent this from happening is news. The extra stuff sounded more like a XDA thread geared to get their faithful excited.
  • I think you are missing the point of the complaints people have had though. They are not saying "Boo WPCentral for reporting this at all". I actually think it was a good idea. They are booing taking the article to the extreme that it did. What benefit was gained by doing so? It just came across as anti-WP7, which for a site that I would assume to be pro-WP7, seems a bit off. It's more the kind of breakdown I'd expect on an iPhone or Android site, pointing to the flaws in WP7. It's one thing to point out the risks. It's another thing to blueprint them out for everyone.
  • i understand that there's certain topics that people have knee-jerk reactions to, but it's a shame that you can't write an article that actually dares to talk about potential piracy with maturity without being called a hypocrite, asshole or a saboteur. Merely talking about something does promote it to a degree, but i don't think active promotion of piracy is the intent here. Actual hacking/cracking requires understanding intimately how a system works so you can make it do what you want, not just running an app or script. Most people, even those who have the intention of pirating apps, simply aren't going to read this list and then do the research and learning necessary to pirate some five-dollar apps.
  • I'm sure the intent of this article wasn't to promote piracy.
  • Who is the idiot who think he knows stuff about wp7 and fixed piracy in apps does he not no one going to bother anyway because once you used to released shite flawed unlock tool all your paid apps won't update anyway so wp7 phone beef a gull restore go continue
  • In the meantime MS will provide the "server side encryption", we can protect against 99% of automated hacking implementing the code shown in this article: