Microsoft has posted more advice on how to prevent your Windows 8 Modern UI apps from being hacked, though you might feel the information isn’t that helpful.
Microsoft posted the advice following last week’s article that claimed Windows 8 Modern UI apps can easily be hacked to turn trial versions into full versions without paying. The article was posted on the personal website of a Nokia employee called Justin Angel, who used to work for Microsoft and is a well known developer.
The website later disappeared, but the original article gave details of five weaknesses in the Windows Store app model. Angel gave examples of how users could modify IsoStore to compromise purchases within apps, and how injecting scripts into an IE10 process could achieve the same effect.
He also showed how it was possible to edit game data files to change the price of in-game items, and how to remove ads from within games by editing XAML files. Finally, he showed ways to convert trial to full versions for free.
To be fair to Angel, he also suggested fixes for these weaknesses. In the case of tricking games into thinking in-app items have been purchased, Angel suggested Microsoft could offer a secure location that developers could use for storage. He put forward the suggestion that XAML files should be tamper-proof, and that the IE10 process should be locked down for signed scripts only when not on a development machine.
Finally, in the case of trial apps being converted to full versions, he suggests that Microsoft allows developers to have two versions of an app - one trial and one full - secured by the Win8 store purchasing system.
Microsoft’s initial response to the article was to point people inquiring about the article to a Windows Dev Center article on protecting Windows Store apps from unauthorized use: Protecting your Windows Store app from unauthorized use
The article gives some info on methods that might help, but this largely comes down to “this doesn’t happen with Windows RT”, and “store sensitive details on your own server rather than in the app”. Both statements are true, but don’t actually solve the problem for most apps.
Now a new post on the Windows 8 app blog gives more detailed advice, though still misses the points raised by Angel. The first tip is that you compile your apps with Visual Studio 2012, which Microsoft says has better security tools help to protect apps from a range of common attacks. This may be true, but telling developers to change development environment to overcome security problems not of their making is a bit rich! Not to mention the fact that most Window 8 programmers are already using Visual Studio 2012.
The other tips are rather more practical, but some are still at the ‘don’t run with scissors' level. For example, ‘don’t trust remote data’, and ‘run your app with the lowest level of privileges’ are hardly worthy of a newsflash.