Hypothetical threat watch

New malware exploits USB, but isn't really that scary

Microsoft News

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Microsoft News

Microsoft restores control of seized domains to No-IP

Windows 8 Apps+Games

1Password for Windows gets much needed 4.0 update


Using strong passwords and keeping your online self secure

General News

First smartphone 'kill switch' bill in the US passed by… Minnesota


Secure your passwords and critical information with Enpass Password Manager

General News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed


John McAfee's Chadder aims to keep your messages private, lands on Windows Phone before iOS


Microsoft issues security patch for Internet Explorer

Microsoft News

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

Windows Phone News

New images reveal an overhauled Store for Windows Phone 8.1, includes automatic app updates and more

How To

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

Microsoft News

Microsoft Store giving away $100 credit; simply trade up your Windows XP dinosaur (US and Canada Only)

Microsoft News

Microsoft says it's really time to dump Windows XP thru this clever infograph


So, you want to adopt BYOD?

Microsoft News

From a Bill Gates memo to an industry practice: The story of Security Development Lifecycle

Microsoft News

Microsoft to fix Internet Explorer vulnerability along with other system exploits next week

< >

Windows Phone Marketplace app-security cracked: Proof-of-concept [Video]

Disclosure: Well before the publication of this article, WPCentral contacted Microsoft's Brandon Watson directly about the breach and we are cooperating with Microsoft in any way we can. Microsoft may be providing a statement to us addressing this issue, which we will of course post in its entirety if they choose to do so.

Yesterday we reported on a controversial "whitepaper" over at XDA (since pulled) which gleaned publicly available information to outline how the WP7 Marketplace could be cracked. To some, this was new. For others, it was very old. And for others still, it was information that was plain incorrect.

For developers, the weakness in Microsoft's DRM for Windows Phone 7 applications has been well known for quite some time, and there have been calls for Microsoft to address these concerns (see here in their forums).

Since then, a "white hat" developer has provided WPCentral with a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released (please don't ask). It is important to note that this was all done within six hours by one developer.

After the break, you can see a video of the application (called "FreeMarketplace") in action, demonstrating how easy it can be to download any app from the Marketplace. While many will condemn us for "promoting piracy," we respectfully disagree. We have heard many complaints from developers about this weakness for months now and it is their right to know about the flaws in the system. We are confident Microsoft will work hard to implement a stronger DRM system, in part due to this proof-of-concept demonstration.

Tobias, technical adviser for this article, can be contacted via WPCentral



There are 15 comments. Sign in to comment

theefman says:

If you have informed MS are working with them as you say, why not let them attempt to fix the issue before posting this video? What exactly is the point apart from making devs fearful and educating hackers?

Because MS has known about this for months already with little or no movement let alone acknowledgement of the problem. This isn't new. It's an attempt to bring focus and urgency to the issue.

ReneSchulte says:

Many have informed MS zillions of times. It's not new at all. It's a huge design flaw that needs to be addressed! I, as a dev, welcome the effort and I hope things will speed up now.

federaly says:

The only way MSFT will step up quickly is if you call them out on their flaws. Look I love MSFT I got my Mozart they day they came to the Telstra shop. I got friends who are making torrent apps and their on eReader and RSS feed apps and I wouldn't want them to lose out on money! If you stay quite about something it won't go away. Bad publicity is what is going to change this situation and make MSFT fix the problem which will in turn make GOOD publicity.

sirkirby says:

DRM has always been useless and is constantly cracked. You have to obfuscate to protect your code.

GP07 says:

Which is something MS asked all devs to do a month or so ago. The problem is that there wasn't a obfuscate tool for free out from the start, something MS should have covered.

j2inet says:

Obfuscation Not available? That's not quite true.

There's the free community obfuscator (though one I personally don't suggest) and then there is the offering from PreEmptive that is free through March: http://www.preemptive.com/know-more/windows-phone-7

GP07 says:

Ya, now, my point is that those weren't out from day 1 when they should have been, unless I remember it wrong. MS should've had it's own free obfuscation tool in the WP7 SDK IMO. But it doesn't.

ReneSchulte says:

It's not just about protecting the code, but I said it before and I say it again, obfuscation sucks and is no solution for securing (Windows Phone) apps. The Dotfuscator tool that Microsoft recommends can break your app. The highest level of obfuscations kills the performance of an app and therefore is a no go for most apps. Not to mention that all resources can't be obfuscated.

The best would be if Microsoft encrypts the XAPs during the certification process and decrypts them at the load on the device. That would be the best solution to protect the IP of the developers.

Rico says:

I remember scanning some of the threads over at MS' WP7 dev forums but it was honestly over my head and long enough ago that I had assumed they had been fixed. Understanding that piracy is inevitable, I hope this puts some additional pressure on MS to improve app security in the marketplace. Having used every other smartphone platform out there daily (Blackberry being the exception), I have to say WP7 is by far my favorite, even with all the shortcomings of 1.0. I'd hate to see it lose developer confidence this early.

cannon#WP says:

I'm all for the piracy of one app in particular, that stupid I Am Rich app.

robnaj says:

I think this is using the developer tools, smiler to how the wonder-machine works from android side of things.

HD7guy says:

I can think of one way Microsoft may address the issue in part. Marketplace knows which apps you have downloaded to your phone and whether you bought it. It doesn't seem unreasonable to me that a minor change to Marketplace would allow for nuking cracked apps, giving you the option to buy them, simply charging you outright, or even going so far as to brick your phone.

WP_Splosion says:

You flamers are so out of line it is completely ridiculous, if it were up to me you would all be banned. This is a classic case of shooting the messenger.

Anybody sleazy enough to pirate an app somebody busted their hump making in their free time to sell for $5 already knows where to go for their piracy needs. All WPCentral is doing is their job: REPORTING THE NEWS.

If you don't like the news, go dig a hole and bury your head in it.

ay-mka says:

how can i download this app