This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

Defeating Windows 8 Metro Apps

A Nokia developer has ripped the lid off of Microsoft's lax security.

A Nokia developer has demonstrated how to pirate Windows 8 Metro apps, turn off ads, and bypass in-app payments. None of this will help Microsoft's bid to woo developers.

Developers like to get paid for their work. They like to develop on platforms that offer the best odds that they will make money. Those odds just got slimmer for Windows 8. Justin Angel, a principal developer at Nokia for Windows Phone 7 and Windows Phone 8 devices, has released full details on how to get around the protections on Metro apps. The best source at the moment for this information is this Extreme Tech post. Angel's blog post is still unavailable at this writing -- it's possible it has been forced offline -- and the Google cache of it lacks the screenshot images, but has the full text.

Easy enough
The techniques Angel describes are not yet packaged up as a one-click exploit -- I have little doubt this will be done soon enough. As Angel writes, "any mildly competent developer can productize these security attack vectors into shipping products." What's involved wouldn't scare off most readers of this blog post, but it is more intricate than the average person would be comfortable undertaking.

To pirate an app -- to unlock its full capabilities as if it had been paid for -- one has only to only edit an XML file to change a LicenseInfo attribute from "Trial" to "Full." To turn off in-game ads, edit its XAML file. Defeating the in-game purchase system is more involved: one would need to reverse-engineer some of the game code to find out how to modify an AccountData.xml file. But, as Angel writes, "We have the algorithm used for encryption, we have the hash key, and we have the encrypted data. Once we have all of those it's pretty simple to decrypt anything." The central problem is that Microsoft has stored all of those items locally and has not instituted sufficient checks and controls on running app code.

Mitigation
Angel claims that he released these details in order to force Microsoft to step up its security game. "The majority of ways games and apps developers would make money aren't secure by default on Windows 8," Angel writes. In the summary at the end of his post, Angel gives concrete suggestions of ways Microsoft could foil each of the attacks he has documented.

However, the indications are that Microsoft is not open to such suggestions. The Verge published a brief writeup on Angel's investigation, and got a comment from Microsoft on the situation. Redmond had this to say: "Any successful software distribution channel faces the challenge of being targeted by people wishing to circumvent the system for ill-gotten gains and we're committed to ongoing protection of both customer and developer interests."

In other words: we know best, go away. Not reassuring to the developers Microsoft urgently needs to attract to its platform.

Related links