Windows Phone Marketplace app-security cracked: Proof-of-concept [Video]

Disclosure: Well before the publication of this article, WPCentral contacted Microsoft's Brandon Watson directly about the breach and we are cooperating with Microsoft in any way we can. Microsoft may be providing a statement to us addressing this issue, which we will of course post in its entirety if they choose to do so.

Yesterday we reported on a controversial "whitepaper" over at XDA (since pulled) which gleaned publicly available information to outline how the WP7 Marketplace could be cracked. To some, this was new. For others, it was very old. And for others still, it was information that was plain incorrect.

For developers, the weakness in Microsoft's DRM for Windows Phone 7 applications has been well known for quite some time, and there have been calls for Microsoft to address these concerns (see here in their forums).

Since then, a "white hat" developer has provided WPCentral with a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released (please don't ask). It is important to note that this was all done within six hours by one developer.

After the break, you can see a video of the application (called "FreeMarketplace") in action, demonstrating how easy it can be to download any app from the Marketplace. While many will condemn us for "promoting piracy," we respectfully disagree. We have heard many complaints from developers about this weakness for months now and it is their right to know about the flaws in the system. We are confident Microsoft will work hard to implement a stronger DRM system, in part due to this proof-of-concept demonstration.

Tobias, technical adviser for this article, can be contacted via WPCentral

Daniel Rubino

Daniel Rubino is the Editor-in-chief of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft since 2007 when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, laptops, next-gen computing, and for some reason, watches. Before all this tech stuff, he worked on a Ph.D. in linguistics, watched people sleep (for medical purposes!), and ran the projectors at movie theaters because it was fun.

  • If you have informed MS are working with them as you say, why not let them attempt to fix the issue before posting this video? What exactly is the point apart from making devs fearful and educating hackers?
  • Because MS has known about this for months already with little or no movement let alone acknowledgement of the problem. This isn't new. It's an attempt to bring focus and urgency to the issue.
  • Many have informed MS zillions of times. It's not new at all. It's a huge design flaw that needs to be addressed! I, as a dev, welcome the effort and I hope things will speed up now.
  • The only way MSFT will step up quickly is if you call them out on their flaws. Look I love MSFT I got my Mozart they day they came to the Telstra shop. I got friends who are making torrent apps and their on eReader and RSS feed apps and I wouldn't want them to lose out on money! If you stay quite about something it won't go away. Bad publicity is what is going to change this situation and make MSFT fix the problem which will in turn make GOOD publicity.
  • DRM has always been useless and is constantly cracked. You have to obfuscate to protect your code.
  • Which is something MS asked all devs to do a month or so ago. The problem is that there wasn't a obfuscate tool for free out from the start, something MS should have covered.
  • Obfuscation Not available? That's not quite true. There's the free community obfuscator (though one I personally don't suggest) and then there is the offering from PreEmptive that is free through March:
  • Ya, now, my point is that those weren't out from day 1 when they should have been, unless I remember it wrong. MS should've had it's own free obfuscation tool in the WP7 SDK IMO. But it doesn't.
  • It's not just about protecting the code, but I said it before and I say it again, obfuscation sucks and is no solution for securing (Windows Phone) apps. The Dotfuscator tool that Microsoft recommends can break your app. The highest level of obfuscations kills the performance of an app and therefore is a no go for most apps. Not to mention that all resources can't be obfuscated. The best would be if Microsoft encrypts the XAPs during the certification process and decrypts them at the load on the device. That would be the best solution to protect the IP of the developers.
  • I remember scanning some of the threads over at MS' WP7 dev forums but it was honestly over my head and long enough ago that I had assumed they had been fixed. Understanding that piracy is inevitable, I hope this puts some additional pressure on MS to improve app security in the marketplace. Having used every other smartphone platform out there daily (Blackberry being the exception), I have to say WP7 is by far my favorite, even with all the shortcomings of 1.0. I'd hate to see it lose developer confidence this early.
  • I'm all for the piracy of one app in particular, that stupid I Am Rich app.
  • I think this is using the developer tools, smiler to how the wonder-machine works from android side of things.
  • I can think of one way Microsoft may address the issue in part. Marketplace knows which apps you have downloaded to your phone and whether you bought it. It doesn't seem unreasonable to me that a minor change to Marketplace would allow for nuking cracked apps, giving you the option to buy them, simply charging you outright, or even going so far as to brick your phone.
  • You flamers are so out of line it is completely ridiculous, if it were up to me you would all be banned. This is a classic case of shooting the messenger. Anybody sleazy enough to pirate an app somebody busted their hump making in their free time to sell for $5 already knows where to go for their piracy needs. All WPCentral is doing is their job: REPORTING THE NEWS. If you don't like the news, go dig a hole and bury your head in it.
  • how can i download this app