Trial apps and in-app purchases easy to hack on Windows 8 says Nokia engineer

A principal engineer at Nokia, Justin Angel, has written a piece showing how to hack apps on Windows 8, undermining their potential revenue for the app vendors. “This is an educational article written in the hope both developers and Microsoft can benefit from an open exchange of knowledge,” he says, adding that the article was written in his own time and has nothing to do with his employer.

The hacks he describes cover:

  • Compromising in-app purchases by modifying data held locally, such as app currency.
  • Converting trial apps to full versions without paying
  • Removing ads from games
  • Reducing the cost of items offered for in-app purchase
  • Injecting Javascript  into the Internet Explorer 10 process in order to bypass trial restrictions

image

There is an inherent security weakness in any app that has to work offline, since the decryption keys also have to be stored locally; this inherent weakness is not unique to Windows 8. However, Angel argues that Microsoft could do more to address this, such as checking for tampered app files and preventing Javascript injection. Code obfuscation could also mitigate the vulnerabilities.

Although Angel is writing in his own time, the issues are relevant to Nokia, which makes Windows Phone devices and may make Windows 8 tablets in future.

Should Angel have revealed the cracks so openly and in such detail? This is an old debate; but it is sure to increase pressure on Microsoft to improve the security of the platform.

VN:F [1.9.18_1163]
Rate this post
please wait...
Rating: 6.8/10 (6 votes cast)
Trial apps and in-app purchases easy to hack on Windows 8 says Nokia engineer, 6.8 out of 10 based on 6 ratings

Related posts:

  1. Apps sell better with Live Tiles, says Nokia, with other tips for phone developers
  2. Farewell Nokia X? Not quite, but the signs are clear as Microsoft bets on Universal Apps
  3. What will it take to get developers to try Windows Azure? Microsoft improves its trial offer
  4. Easy database apps for iPad and iPhone with FileMaker Pro and Go
  5. Nokia plus Windows Phone 7 – would that be a smart move?

5 comments on this post.
  1. Chris Nahr:

    Most of the cracks are simple enough that no great secrets are revealed by publishing them. It’s just bizarre that you can hack commercial software by editing plain text files. You’d think Microsoft has some experience with thorough DRM protection from their Xbox business, but apparently nobody bothered to apply that experience to Windows Store.

  2. Chris Nahr:

    Well, either the server has collapsed under the load or someone’s lawyers threatened him. The website is down now.

  3. tim:

    Interesting. It did seem surprising to have such a clear guide from a person who works for Nokia.

  4. Chris Nahr:

    Meanwhile he has made some unrelated tweets, but he said nothing about his post or blog and ignored questions on the subject. Definitely seems like he’s been told to shut up, either by his employer or by legal threats from app developers.

  5. Chris Nahr:

    I just discovered that Google’s cached version of the page has been deleted as well. Yes, someone definitely got very angry about this guide…