Windows Phone Store weakness makes exclusive apps accessible to all, we explain how

Earlier today, we reported on a Windows Phone Store weakness allowing savvy users to download Nokia-exclusive applications onto non-Nokia hardware (well, try to at least, as often those apps are API dependent). But we did a little more digging and discovered the weakness doesn't just cover Nokia apps. You can manipulate the Store into providing any device or operator-exclusive app for your device.

The root cause appears to lie in the fact that the Store makes app metadata and availability decisions based on URL query parameters that are sent via HTTP and can easily be tampered with. For example, when viewing Samsung’s exclusive RSS Times app a Nokia device, your Windows Phone makes a request similar to the one below:

GET /v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?os=8.0.10211.0&cc=US&oc=&lang=en-US&hw=234879123&dm=RM-820_nam_canada_246&oemId=NOKIA&moId=TRF-US&cf=99-1 HTTP/1.1

Upon receipt of this request, the Store responds with a bunch of XML-formatted data describing the requested app. One of the elements in the reply – isAvailableInStore – controls the visibility of the Install button in the Store app. In this case, because we told the Store we’re using a Nokia-branded device (see the oemId parameter?), a Boolean false is returned. The Install button is disabled; we can’t install the app.

But what if we replaced that oemId value with say, SAMSUNG?

Using the Fiddler Web Debugger and a simple AutoResponder rule, we successfully spoofed a Samsung Windows Phone and installed RSS Times with no problems.

It’s not immediately clear how Microsoft will respond to this issue. We suspect Microsoft can remotely reconfigure Store app behavior, forcing communication through more secure means (e.g. HTTPS). But an increasingly chatty Store app on Windows Phone could impact Store performance and/or incur additional bandwidth costs on both ends of the pipe. We'll see.

Stay tuned and we’ll let you know what we hear from Microsoft.

Rafael Rivera

95 Comments

Whaaaaaaaaaaaaaaaaaaaaaaaaatt❓❓
Nice question marks.
Are you coming on to me??.. Lol
Nice punctuation
You too❔❔
I've notice these types of "posting" aren't coming from the usual crew. Interesting....
No conspiracy, just providing some technical details for savvy folks to repro in a safer environment. (No one should use a proxy they don't have control over, that's just dangerous.)
So, how would you get the HTC clock tile on a Lumia 920?
You simply can't... its not a downloadable app, its built in to HTC Windows Phones. Even if you were to get the app to enable the tile, it requires drivers unique to HTC phones to even function.

TL;DR Without a LOT of work, it won't happen.
Dagnamit. Had my hopes up for that lol. Nevermind.
It is downloadable... It's called "HTC Hub". I can uninstall it and get it from the HTC section of the store again. Well it doesn't show the time, just a double-wide weather tile. So what is this clock tile? Haha on WP7 it shows the weather, maybe different on WP8?
The clock/weather tile is unique to WP8 HTC phones. The downloadable HTC Hub is just a news/weather/HTC app highlight hub. Its available on both WP7/8 but the weather/clock tile that everyone here is asking about is exclusive to HTC Windows Phones for the reason I mentioned above.
That's exactly what I was wanting too!!! Rats
Me too!!
That's what I was wondering!! I want it NOW❕❕❕❕❕❕❕❕❕
Oh god yes, I missed that when I switched from a Surround to a Lumia 800.
Okay my apologies :) I had no idea you were as involved with the WP community as you were.
(Still have no clue who the other dude is though).
You and me both, pal! lol
WPCentral's snitch in China who has brought you guys a fair share of leaks and interesting rumors. And this dude is not even recognized. This dude is sad...
Don't be sad!
You're not related to Geraldo Rivera are you❔
No, Raf is WAY more intelligent that stupid friggin Geraldo Rivera. Raf should be insulted... ;-)
First its a joke.. Second, why should he be insulted if he is related? It's not him..
No, he's related to Jamie Rivera from pocketnow.com. They are brothers. :)
Well it's nice to meet you... sorry for everyone else exploding over the article you posted earlier. I didn't see an issue with the post and its always nice to see new posts from different writers.
The only post I want to see is an obit for a certan internet radio station.
Exactly, words of wisdom and experience here ppl.... Listen... You have been warned
Don't worry, Rafael is legit.
Rafael Rivera has been affiliated with WPCentral for a long time and is an incredibly qualified WP dev. (As I remember, he did a lot of the developer-related postings before Rogue Code came around.) Also, this is very legitimate reporting, even if it's not appealing to all audiences.
Rafael was a regular on the podcast last year... He's also a well known Windows hacker and author.
Snitch!.. Lol!
The regular guys are now using aliases because the NSA is watching.
Rafael is a well-known and trusted Windows blogger. He has very strong technical skills and know-how and was one of (maybe the first?) people to create custom UXstyle patches for Windows XP, Vista, etc. I read his personal blog every so often as well. He's a trusted source for information and is a good asset for WPCentral to have. Check his blog at withinwindows.com.
Rafael Rivera is a regular he comes around when we have really technical stuff.
They'll probably fix this right away, but nothing about that Other storage fix. I mean it's not too bad for me, but I feel bad for some who have like 10GB. Even the Nokia Storage Check app doesn't work all the time.
My phone got to 13GB other storage before I reset it.
Ouch.
Hah, I gave in at around 11GB last week. The storage hasn't grown much since then though, so maybe I got lucky.
I have 1.4GB in my other. I don't think that's a lot, but I'm wondering if that should be 0.
I think other serves a purpose for one thing or another, but it definitely shouldn't be more than a couple of gigs.
Tell me how to steal the hardware too please. Need a how-to article
Yeah, because using an auto response trick to make a digital gate open and allow you to obtain a few kb of data that's free is definitely theft, and not, you know, just good computing skills.
I suppose you are right. The NSA just has good computing skills, they should take what they want too.
Please.... Tell me how!??? Thanks in advance!
What about something like Data Sense? Can we grab it from a different carrier?
No. Data Sense is a WP8 system component, not a Store app. Just wait for GDR2, which supposedly brings it to everyone, regardless which carrier. It's not very far away. Or flash the ROM from a Data-Sense-enabled carrier onto your device. Technically doable, very troublesome, could lead to disastrous concequence. Bricks a phone faster than you can say "brick" should any tiny step goes wrong.
A few quick thoughts on how Microsoft can patch this: 1. Encrypted communication to prevent parameter changing by manual means; 2. Do a fact check on both device model and OEM ID, making it harder to come up with a correct combination; 3. Check OEM and device model again when the actual downloading session is about to start. Too much of carelessness is going on, people assuming HTTP requests "of course" can't be modified by average users, a device with a downlowd button served "of course" is from the intended OEM. Or OEMs could take matters intotheir own hands, adding model check functions into all their exclusive apps, performed upon every single launch. That would be very effective, I reckon. It's impossible to fake device model and OEM name of a Windows Phone witnout jailbreaking it. And if the phone is jailbroken indeed... well there's no way stopping it doing anything its owner wants...
Was about to ask how Apple and Google are dealing with similar problem when realized Apple does NOT have any OEM but itself and Google doesn't care shit about app ecosystem... Got a feeling that Windows Store on Windows 8 and Windows RT might have the same problem. Although disguising device identity would be pointless on that front. Got a VAIO and a Surface and a Dell here. And the stuff in "OEM exclusivr" sections are to be described as uninteresting at best...
Apple doesn't have any OEM and all Android OEM preload all the crap as bloatware impossible to uninstall, except by flashing the phone.
"But what if some OEM whants to update their bloatware or add new apps?"
That would be a tuff question if Android OEMs keept supporting their phones after release but usualy that's not the case. And the only part Google cares about Android is the amazing piece of Spyware the've buit so OEM are able to do anything they want.
All Microsoft or the manufacturers need to do is have XAP files check the device they are being installed on before installing, if it's not the right manufacturer it would just throw up an error message.
how a get the app? :O
Please.... Tell me how!??? Thanks in advance!
he will probably not tell you since everyone is already criticizing just because he written this.
but you can learn about how to do it by yourself reading the links (Fiddler).
if you are very lazy, I've read some tutorial in the WPCentral Forum by a guy which avatar is a orange squirrel but I don't know the link or name.
Does this mean I can get my USAA app back that I lost when replacing my phone?
http://www.windowsphone.com/en-us/store/app/usaa/6d5694b8-d1d7-df11-a844-00237de2db9e USAA app seems to be right there for free downloading, with no OEM restriction..?
Only works for WP7 I guess...at least it says that it doesn't support my version of Windows Phone. Could that be gotten around as well?
About the only way is to have a unlocked phone and find someone who "hacked" it from the marketplace then sideload it... I tried a few apps that were WP7 apps only on my unlocked WP8 device with questionable results.
Some worked fine for the most part but, at some levels it would not recover...
It has been shut down
Not sure if describing exactly how to exploit the system is the right thing to do in this situation. Most "good-willed" hackers alert the person they've hacked and simply announce there is a way to exploit it without giving links to tools that can be used to do the same.
+1, not impressed with WPCentral's behavior at all in this. Perhaps Nokia should rescind them their privileges to the next few Nokia exclusive events, then see how they like it.
While i agree with your first statement, I don't think blockign them from nokia exclusive events would do much of anything positive for nokia since WPcentral is often called "Nokia Central" . That said, I am quite disappointed with the reporting of this. It's one thing to report and it's another thing to actually instruct people on how to do this...this goes for Nokia, Samsung or HTC products
Have any of you bothered to read the comments here? Clearly folks aren't being "educated" on "how to do this".
Big deal we use to mod our windows mobile phones with apps from other phones back in the day. Big deal people can do what they want. Ohhh such a big deal that they posted the how too. Omg... Omg!
Manufacturers might start charging for their exclusive apps instead of making them free to their own phones, so yeah, could be a big deal.
They can start charging or just make it free for their own phones
I agree. No need to tell everyone how they can get around the system and steal software. I hope MS and the OEMs have a way to pull/block the apps from working.
I kinda need a way to get ChatOn on my HTC8X ...
Yea, same here, could you please tell me how?
Why didn't you get a Samsung ATIV then?
how can i do this rafael? i want nokia apps on my ativ s
Why didn't you get a Nokia?
Thanks! Fiddler is a much safer way to do it than using some random proxy someone made.
I've successfully replicated the same thing to attempt to install HTC Hub as I have the direct link but the app only supprts 720P and 480x800. Bummer. Can't install. Lemme try Samsung
Can you post a link? Or is it not that simple?
I got the link very easily. Just told my buddy with an 8X to tap "share" on the marketplace listing. Click Here: download link
Do you mind posting how you did it ? just for information sake ? i mean a lot of people now know it and i dont think its anything illegal !
Its a really complicated process. Click here to learn how to connect your Windows Phone with fiddler2 and from there, click a link to an OEM app. You will find this link in fiddler2 that starts with marketplaceedgeservice.windowsphone.com that is the same as the one Rafael posted. Click that listing, click the auto-responder tab and at the bottom, there are 2 text fields. Enter the original one (e.g if u are a Samsung user, the listing that has te oemid as SAMSUNG) at the first field and the OEMID you want (e.g the same values as before but change the OEMID to the manufacturer you want. OEM ids are as follows: LGE = LG, SAMSUNG = Samsung, NOKIA = Nokia, HTC = htc. Note you can use this method to download carrier specific apps too by changing the moID value.) After changing the values and enabling auto-response, reload the link. You can now download apps from the OEM of your choice.
Thanks. Will check it out.
WP8Expert, Thanks for a detailed procedure.

I tried, but when I click on the link to OEM app, not always it takes me to marketplaceedgeservice.windowsphone.com. I tried multiple times, and it does take me sometime there. I created this autoresponder -

EXACT:(http)://marketplaceedgeservice.windowsphone.com/v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?os=8.0.10211.0&cc=US&oc=&lang=en-US&hw=520170499&dm=RM-820_nam_att_100&oemId=NOKIA&moId=att-us&cf=99-1
EXACT:(http)://marketplaceedgeservice.windowsphone.com/v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?os=8.0.10211.0&cc=US&oc=&lang=en-US&hw=520170499&dm=RM-820_nam_att_100&oemId=SAMSUNG&moId=att-us&cf=99-1

Does this look correct? After adding this one into auto-responder, the app is still not available for download on my device. Can you tell me if I am doing anything wrong... Thanks
Try again but this time, tap the "This app is not available" thingy. It most likely will tell you that it cannot install cuz of screen limitations. If it still doesn't work, remove the EXACT: from the address. If it still doesn't work, PM me and I will help.
question where can i get the request generated by my phone in store, I Get
GET /en-us/store/app/rss-times/e7fd6b61-a095-4b06-9fba-005cc9b09267 HTTP/1.1
Kinda Clueless :/ help
Didn;t work :(
What is the moID value for T-mobile USA? I want to put the T-Mobile account app on a Verizon HTC 8X.
Yeah, I wasn't able to download HTC's Flashlight app, or Samsung's MiniDiary app for the same reason. :(
Thought as much
Damn. I want the Samsung call blocking app.
Since when do Rafael Rivera write here? This is a nice surprise!
A while.
I only want something like the htc clock, why is this too much to ask!?!
anyone can explain me how to do it? ty
Hi, can someone advise if its possible to utilise this to download wp7 exclusive "rabbids go phone" on my lumia 920 by fooling it to think its a wp7?
that one is a big no. I have a few apps and games that I lost from moving over from a Wp7 device to a Wp8 device...
Is there a clear step by step directions to do this... I have a Lumia 928 and I **really** miss having my marketplace changer from my unlocked WP7.8 device..
I want ...
I'm a musician - Piano - from LG's collection (my kid loves that app)
and
HTC's flashlight app...
So how do we actually install these apps if we are not a developer or so?
I want Samsung apps on my Nokia so give me the method please ? Or a proxy and I'll follow the steps from the guide

Show more comments