Earlier today, we reported on a Windows Phone Store weakness allowing savvy users to download Nokia-exclusive applications onto non-Nokia hardware (well, try to at least, as often those apps are API dependent). But we did a little more digging and discovered the weakness doesn't just cover Nokia apps. You can manipulate the Store into providing any device or operator-exclusive app for your device.
The root cause appears to lie in the fact that the Store makes app metadata and availability decisions based on URL query parameters that are sent via HTTP and can easily be tampered with. For example, when viewing Samsung’s exclusive RSS Times app a Nokia device, your Windows Phone makes a request similar to the one below:
GET /v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?os=8.0.10211.0&cc=US&oc=&lang=en-US&hw=234879123&dm=RM-820_nam_canada_246&oemId=NOKIA&moId=TRF-US&cf=99-1 HTTP/1.1
Upon receipt of this request, the Store responds with a bunch of XML-formatted data describing the requested app. One of the elements in the reply – isAvailableInStore – controls the visibility of the Install button in the Store app. In this case, because we told the Store we’re using a Nokia-branded device (see the oemId parameter?), a Boolean false is returned. The Install button is disabled; we can’t install the app.
But what if we replaced that oemId value with say, SAMSUNG?
Using the Fiddler Web Debugger and a simple AutoResponder rule, we successfully spoofed a Samsung Windows Phone and installed RSS Times with no problems.
It’s not immediately clear how Microsoft will respond to this issue. We suspect Microsoft can remotely reconfigure Store app behavior, forcing communication through more secure means (e.g. HTTPS). But an increasingly chatty Store app on Windows Phone could impact Store performance and/or incur additional bandwidth costs on both ends of the pipe. We'll see.
Stay tuned and we’ll let you know what we hear from Microsoft.
We may earn a commission for purchases using our links. Learn more.
Review: AMD's big impact on Surface Laptop 4 (15") makes a difference
Surface Laptop 4 gets a significant boost in performance thanks to AMD Ryzen R7, but there are also many qualifications to that statement. While it's easier to recommend the 15-inch 2021 model, Microsoft could still do better with this series. Here is what we think of Surface Laptop 4 with AMD (15-inch) after using it for the last week.
On Minecraft Dungeons' Xbox cloud streaming success with David Nisshagen
Minecraft Dungeons is an incredible dungeon crawler from Mojang and Double Eleven. The game is available practically everywhere, and now includes touch support on phones, making it a pioneer in the cloud gaming space for Microsoft. We caught up with Executive Producer David Nisshagen to discover the benefits and barriers to this exciting new opportunity for devs in the Xbox ecosystem.
Preview: We're finally getting more medieval melee mayhem with Chivalry 2
We got an opportunity to go hands-on with Torn Banner Studios' sequel to the original Chivalry: Medieval Warfare. Here's what you can expect from the game when it releases on June 8.
These laptops have bright screens great for outdoor use
Due to the never-ending war against sun glare, laptop developers have made their laptop screens brighter than ever in recent years. Here's a collection of some of our favorite laptops that have bright displays.