Security Loopholes In Windows 8 App Model Has Been Exposed

8

Before Windows 8 got released, there were some discussions about the security model of Windows 8 Modern apps. Microsoft fixed some of those issues. Justin Angel, a well known Microsoft platform developer has blogged about various way to tamper Windows Store apps in a Windows 8 device. He provided the following weak points in Windows Store app model with examples,

  • #1: Compromising in-app purchases by modifying IsoStore
  • #2: Cracking trial apps to paid versions for free
  • #3: Removing in-app ads from games by editing XAML files
  • #4: Reducing the cost of in-game items by editing game data files
  • #5: Compromising In-app purchase items by injecting scripts into the IE10 process

Here is his summary of his findings and the ways Microsoft can fix them,

  1. In-app purchase items Storage: In-app purchase is fast becoming the #1 revenue stream for game developers. We’ve seen we can trick games local storage to acknowledge consumable items that haven’t been purchased. The real problem here is that Windows 8 apps don’t have any truly secure location that’s inaccessible to the user and can be secured in offline scenarios. One possible improvement here would be for Microsoft to offer such storage for all apps. Let developers have a secure encrypted isolated storage by default. Also, another possibility would be to turn on code obfuscation and minification by default in order to avoid the reverse engineering needed for this exploit.
  2. Trial apps: Trial apps will likely be adopted by around 50% of Windows 8 games. We’ve seen how the Trial licenses are stored in the Tokens.dat file and how easy it is to edit it. The real problem here is that Trial apps are downloaded to the client machine with the full unlocked logic embedded in them. One way to fix this issue would be to have developers build two app packages (one limited functionality trial package and one full functionality package) and have those secured by the Win8 store purchasing system.
  3. In-apps ads: Mobile advertising in apps is a major industry and a source of revenue for developers. We’ve shown how by simply editing the XAML files on disk we can turn off ads in games. It shouldn’t be possible to tamper with XAML/HTML files and then have them loaded to memory. One improvement Microsoft can undertake here is have better on-disk tampering checks.
  4. Game data files and in-game items: We’ve shown game data files can be edited and they’ll then be loaded into apps. It shouldn’t be possible to modify any game file and then have it loaded to memory. Microsoft could follow tothe aforementioned recommendation from item #3 to help mitigate this issue.
  5. Injecting arbitrary Javascript affecting in-app purchase: We’ve seen we can inject any javascript code to run inside the IE10 process for a Win8 WinJS store app. That shouldn’t be possible. One possible improvement  would be for the IE10 team to lock down the IE10 process for signed scripts only when not on a development machine.

Read more about it in detail here.

About Author

Pradeep, a Computer Science & Engineering graduate.

  • grs_dev

    This is truly disturbing. Instead of making videos to attract developers, how about close any loopholes that make them feel like their rear is wide open and exposed!

    • sumedh

      true. But flaws always exist( big or small ) with every product , sometimes they are spotted the the developing company and are fixed or they are spotted by other developers and should inform the company for immediate action.. The company cannot predict ALL scenarios for hacking stuff…

  • budhraninilesh

    unreadable italic font!!!

  • http://twitter.com/OliverLx Oliver Lohkamp

    This is an OS unrelated problem if programmers do not encrypt their licence or other data files or cookies. Encryption +salt is 1 or 2 lines of code in .NET.

    • http://twitter.com/KooKiz Kévin Gosse

      Licensing is handled by the Windows 8 API, not by the developer.

      • Martyn Metalous

        That is true, licensing is an API, we have no control over how it is stored.

  • Emi Cyberschreiber

    most of these problems its for not having a locked OS. Microsoft should just remove peopel from having Access to files, registry, and well anything like that! of course people would complain but there wouldn’t be any security issues like this.

    of course im not being serious, but still that problem is how Windows is so open and all that. so removing Access to these system stuff, would be a really good fix

  • vcfan

    every piece of software on a pc,where reading and modifying files and memory at your leisure, is and will be cracked.
    just like every other device, the hackers find a way to be able to modify memory or files,when that method is found, it automatically means that the software will be cracked. on windows machines, the first part doesn’t need to be done. memory and files can automatically be modified. it doesn’t matter what kind of encryption you use, because the decryption routine has to happen on the computer, and you can see everything.
    its like saying, you’re not allowed to lock your front door, but let me give you grief because your house is not secure to intruders.