Trial apps and in-app purchases easy to hack on Windows 8 says Nokia engineer

A principal engineer at Nokia, Justin Angel, has written a piece showing how to hack apps on Windows 8, undermining their potential revenue for the app vendors. “This is an educational article written in the hope both developers and Microsoft can benefit from an open exchange of knowledge,” he says, adding that the article was written in his own time and has nothing to do with his employer.

The hacks he describes cover:

  • Compromising in-app purchases by modifying data held locally, such as app currency.
  • Converting trial apps to full versions without paying
  • Removing ads from games
  • Reducing the cost of items offered for in-app purchase
  • Injecting Javascript  into the Internet Explorer 10 process in order to bypass trial restrictions

image

There is an inherent security weakness in any app that has to work offline, since the decryption keys also have to be stored locally; this inherent weakness is not unique to Windows 8. However, Angel argues that Microsoft could do more to address this, such as checking for tampered app files and preventing Javascript injection. Code obfuscation could also mitigate the vulnerabilities.

Although Angel is writing in his own time, the issues are relevant to Nokia, which makes Windows Phone devices and may make Windows 8 tablets in future.

Should Angel have revealed the cracks so openly and in such detail? This is an old debate; but it is sure to increase pressure on Microsoft to improve the security of the platform.

5 thoughts on “Trial apps and in-app purchases easy to hack on Windows 8 says Nokia engineer”

  1. Most of the cracks are simple enough that no great secrets are revealed by publishing them. It’s just bizarre that you can hack commercial software by editing plain text files. You’d think Microsoft has some experience with thorough DRM protection from their Xbox business, but apparently nobody bothered to apply that experience to Windows Store.

  2. Meanwhile he has made some unrelated tweets, but he said nothing about his post or blog and ignored questions on the subject. Definitely seems like he’s been told to shut up, either by his employer or by legal threats from app developers.

  3. I just discovered that Google’s cached version of the page has been deleted as well. Yes, someone definitely got very angry about this guide…

Comments are closed.