Keeping Windows 8 Apps safe
Written by Kay Ewbank   
Thursday, 20 December 2012

Microsoft has posted more advice on how to prevent your Windows 8 Modern UI apps from being hacked, though you might feel the information isn’t that helpful.

Microsoft posted the advice following last week’s article that claimed Windows 8 Modern UI apps can easily be hacked to turn trial versions into full versions without paying. The article was posted on the personal website of a Nokia employee called Justin Angel, who used to work for Microsoft and is a well known developer.

windows8logo

The website later disappeared, but the original article gave details of five weaknesses in the Windows Store app model. Angel gave examples of how users could modify IsoStore to compromise purchases within apps, and how injecting scripts into an IE10 process could achieve the same effect.

He also showed how it was possible to edit game data files to change the price of in-game items, and how to remove ads from within games by editing XAML files. Finally, he showed ways to convert trial to full versions for free.

To be fair to Angel, he also suggested fixes for these weaknesses. In the case of tricking games into thinking in-app items have been purchased, Angel suggested Microsoft could offer a secure location that developers could use for storage. He put forward the suggestion that XAML files should be tamper-proof, and that the IE10 process should be locked down for signed scripts only when not on a development machine.

 

appsdomore2

 

Finally, in the case of trial apps being converted to full versions, he suggests that Microsoft allows developers to have two versions of an app - one trial and one full - secured by the Win8 store purchasing system.

Microsoft’s initial response to the article was to point people inquiring about the article to a Windows Dev Center article on protecting Windows Store apps from unauthorized use: Protecting your Windows Store app from unauthorized use

The article gives some info on methods that might help, but this largely comes down to “this doesn’t happen with Windows RT”, and “store sensitive details on your own server rather than in the app”. Both statements are true, but don’t actually solve the problem for most apps.

Now a new post on the Windows 8 app blog gives more detailed advice, though still misses the points raised by Angel. The first tip is that you compile your apps with Visual Studio 2012, which Microsoft says has better security tools help to protect apps from a range of common attacks. This may be true, but telling developers to change development environment to overcome security problems not of their making is a bit rich! Not to mention the fact that most Window 8 programmers are already using Visual Studio 2012.

The other tips are rather more practical, but some are still at the ‘don’t run with scissors' level. For example, ‘don’t trust remote data’, and ‘run your app with the lowest level of privileges’ are hardly worthy of a newsflash.

 

 windows8logo

Security best practices for building Windows Store apps

Related Articles

Windows 8 - How Is It Doing?

VS2012 Update 1 Available

After Sinofsky - All Change For Windows 8?

Living In The Post .NET Era


To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin,  or sign up for our weekly newsletter.

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

 

Banner


Android Studio Iguana With Crash Reports
05/03/2024

Google has announced that the latest version of Android Studio, Iguana, is now stable. It has version control system support in App Quality Insights and new built-in support for creating baseline prof [ ... ]



Ibis 8 Adds Streaming
05/03/2024

Ibis 8.0 has been released with stream processing backends. The new release includes Apache Flink as a streaming backend, and RisingWave, a streaming database backend. There's also a new batch backend [ ... ]


More News

Last Updated ( Thursday, 20 December 2012 )