Windows RT Security Model Not Strong Enough To Protect Windows Store Apps?

Everyone knows that Windows RT is more secure than Windows 8 because of its closed nature and the app model surrounding it. Even though one cannot install unverified apps on Windows RT machines, already installed apps should be protected from hackers, etc. Recently, a Windows Phone Developer posted the above picture showing how he can hack a Windows RT game code to increase the gold coin numbers in the game. This may not sound serious to you, but the same amount of gold coins costs about $100 on Android!

The above file was in IsoStore of the game and it was even encrypted. Even though signing/verifying the data should be taken care by app itself, I think Windows RT should provide more tamper-proof application storage solution for developers as individual developers themselves can’t do all these.

What do you think?

Thanks to WP Dev for the heads up.

  • Thomas O

    If you are an admin on your computer you can surely access any file. The purpose of “isolated storage” is to isolate applications from each other and not from an admin with full access to the computer.

  • Bugbog

    Doesn’t this indicate that the app encryption itself was easily decodable? Or is the apps security dependent on the security of the storage location in RT?

  • Cliff

    I think you mean WinRT because Windows RT is the version of Windows that runs on Arm. Correct? And I’m pretty sure Visual Studio or whatever desktop application they’re using to hack that app doesn’t run on Windows RT devices like the Surface RT. It’s all very confusing, no thanks in part to MS and their crazy naming of products but anyway. Cheers ;P

    • Robert Frappier

      You can remote debug a RT device.

    • JNate

      Don’t forget that Windows 8 can install Windows RT apps…

    • GG002

      You certainly seem confused! WinRT == Windows RT!
      Windows NT may be what you were looking for.

      • Cliff

        Yes, except my point was regarding Visual Studio-like tools (like in the screenshot) running within Windows RT like the title states. I believe this isn’t possible right now 😛

        • GG002

          I never said Windows RT = Windows 8. I said WinRT = Windows RT. I know Windows RT doesn’t run Visual Studio. I just tried to make sense of your little mistake 😛

          • Cliff

            Oh dear and I didn’t make that mistake either. My point was the title of the article (Windows RT) which isn’t what the author is actually referring to. He really means the WInRT security model and also his implication that the Visual Studio-like tool would run with on a Windows RT device (as noted by the screenshot). On those grounds the title of the article is incorrect so there you go. No mistake on my part. lol 😛

  • alukard

    Fact is if you are skilled and determined enough you can hack any security system. Nothing is truly secure and hey Microsoft will just beef up security accordingly.

  • Adam

    Microsoft has already created a number of restrictions in Windows RT that no longer even make the admin The computer is yours and individuals should not be locked out of their own machines.

  • brownbox

    There’s really not a whole lot you can do about this kind of stuff. If it’s possible for windows to decrypt and read the data from isolated storage then it’s only a matter of time until a hacker figures out how to do it too.
    Really, any important data that you don’t want to be editable by the user, hackers or otherwise should actually be store on the cloud and merely cached on the device. Whenever the app/game is connected to the internet it will recheck how how much gold is in your account on the server and verify it matches what’s stored in isolated storage.
    Isolated really can’t be depended on to be completely secure and unmodifiable by determined individuals. This is no different on android or iOS. Any decent developer knows not to do this and in truth, it is probably possible for this hacker to change the amount of gold he has in the game because it wasn’t a big issue for developers. Storing something like credit card details in isolated storage might not be such a great idea however.

    • Mitch Hancock

      Jetpack Joyride doesn’t store anything locally but the game. All preferences, advancements, etc. are stored in the cloud and you have to connect with Xbox Live.

    • KurianOfBorg

      Wrong. When the chain of trust starts from the CPU’s first instruction, a properly implemented system is unhackable.

  • xxxcoderxxx

    Well, this certainly blames the developers of the game instead Microsoft, because it shows how easy it is to crack their game. It’s nothing wrong with it that users can access their own apps on file system.

  • Robert

    lol that is a fail, because you aren’t supposed to store important data locally, store it on a server so the user cannot edit it.

  • calingasan

    Lol, bad programmer

  • Alex F.

    Neither iOS nor Android protect app storage – why would Microsoft be any different? This is clearly bad programming, not a flaw in Windows.

  • Steve Williams

    Developers should not use XML for storage of game state. That’s just the first step in avoiding the casual hacker.

  • Ian Aldrighetti

    This is just an example of a programmer who isn’t that good at protecting their applications from these types of hacks.

    I may not be a security expert, but if this is an online game then everything should be processed and validated server side. The application on the computer itself should just be a view for the game. So sure, a user could set the gold value to a large amount, but yet the server should see that the value from the application isn’t matching up with it’s value, and it would ignore the fake value.