Security Loopholes In Windows 8 App Model Has Been Exposed

Before Windows 8 got released, there were some discussions about the security model of Windows 8 Modern apps. Microsoft fixed some of those issues. Justin Angel, a well known Microsoft platform developer has blogged about various way to tamper Windows Store apps in a Windows 8 device. He provided the following weak points in Windows Store app model with examples,

  • #1: Compromising in-app purchases by modifying IsoStore
  • #2: Cracking trial apps to paid versions for free
  • #3: Removing in-app ads from games by editing XAML files
  • #4: Reducing the cost of in-game items by editing game data files
  • #5: Compromising In-app purchase items by injecting scripts into the IE10 process

Here is his summary of his findings and the ways Microsoft can fix them,

  1. In-app purchase items Storage: In-app purchase is fast becoming the #1 revenue stream for game developers. We’ve seen we can trick games local storage to acknowledge consumable items that haven’t been purchased. The real problem here is that Windows 8 apps don’t have any truly secure location that’s inaccessible to the user and can be secured in offline scenarios. One possible improvement here would be for Microsoft to offer such storage for all apps. Let developers have a secure encrypted isolated storage by default. Also, another possibility would be to turn on code obfuscation and minification by default in order to avoid the reverse engineering needed for this exploit.
  2. Trial apps: Trial apps will likely be adopted by around 50% of Windows 8 games. We’ve seen how the Trial licenses are stored in the Tokens.dat file and how easy it is to edit it. The real problem here is that Trial apps are downloaded to the client machine with the full unlocked logic embedded in them. One way to fix this issue would be to have developers build two app packages (one limited functionality trial package and one full functionality package) and have those secured by the Win8 store purchasing system.
  3. In-apps ads: Mobile advertising in apps is a major industry and a source of revenue for developers. We’ve shown how by simply editing the XAML files on disk we can turn off ads in games. It shouldn’t be possible to tamper with XAML/HTML files and then have them loaded to memory. One improvement Microsoft can undertake here is have better on-disk tampering checks.
  4. Game data files and in-game items: We’ve shown game data files can be edited and they’ll then be loaded into apps. It shouldn’t be possible to modify any game file and then have it loaded to memory. Microsoft could follow tothe aforementioned recommendation from item #3 to help mitigate this issue.
  5. Injecting arbitrary Javascript affecting in-app purchase: We’ve seen we can inject any javascript code to run inside the IE10 process for a Win8 WinJS store app. That shouldn’t be possible. One possible improvement  would be for the IE10 team to lock down the IE10 process for signed scripts only when not on a development machine.

Read more about it in detail here.

Comments