Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Cellphones Handhelds Security Software Windows

Windows Phone 7 Marketplace Hack Demonstrated 89

broggyr writes "Seems it didn't take long to hack the Windows Phone 7 marketplace. Quoting WPCentral: 'For developers, the weakness in Microsoft's DRM for Windows Phone 7 applications has been well known for quite some time, and there have been calls for Microsoft to address these concerns ... Since then, a "white hat" developer has provided WPCentral with a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released ... It is important to note that this was all done within six hours by one developer.'"
This discussion has been archived. No new comments can be posted.

Windows Phone 7 Marketplace Hack Demonstrated

Comments Filter:
  • by Frosty Piss ( 770223 ) * on Friday December 31, 2010 @02:30PM (#34723752)

    Neither the app nor the methodology is public, and it will NOT be released

    Until / unless sufficient cash has been offered to the developer...

    • by v1 ( 525388 )

      if one dev could do all that in half a day, it'll take less skilled hackers a few days to develop the same thing, with them now knowing that it's not only possible, but easy to do.

      I give it less than a week before we see a kit or three floating around on the various torrent sites.

    • Neither the app nor the methodology is public, and it will NOT be released

      Until / unless sufficient cash has been offered to the developer...

      Apparently, this weakness was pointed out months ago (according to comments in TFA). The black hats probably all have it if they want it, so the associated monetary value for such an exploit is probably low and falling.

      • by fuzzyfuzzyfungus ( 1223518 ) on Friday December 31, 2010 @04:43PM (#34724688) Journal
        For piracy-related weaknesses, I suspect that the monetary value will never be all that high.

        To go by the PC experience, there are basically two motives behind cracking DRM on programs: You have the warez scene guys, who do it for the interest and the bragging rights, and tend to produce working(but in no way intended to look uncracked, particularly in areas like the installer, which will often be coated in the livery and distinctive symbols of the group that cracked it) releases that quickly get torrented around and make nobody any money worth noting. Second, you have the more professional set who(sometimes independently, sometimes piggibacking on the efforts of the first group) produce functioning cracked versions, intended to look as legitimate as possible(no flaming skull ascii art in the documentation...), mostly of expensive professional programs, for sale to the unsuspecting or unsophisticated as suspiciously cheap, but hardly free, "OEM" software.

        Unless Windows Phone substantially differs from the iPhone or Android, and actually features a lot of available expensive pro stuff, the second group will be largely unmotivated(also, since MS controls the official market, it will be very difficult to fool n00bs into thinking that your cracked copy is a "real" version, even if sideloading is trivial). The first group might spring up, if the Windows Phone market becomes large enough to provide a pool of interested hackers; but(perversely) the sheer ease of cracking, at the present time, will likely bore them. Somebody will probably release a sideloader utility, at some point; but an active warez scene like that of the PC seems less likely, and an active "fake legitimate" scene seems less likely still.
    • or until they remove OtherOS
  • by Rik Sweeney ( 471717 ) on Friday December 31, 2010 @02:31PM (#34723770) Homepage

    Neither the app nor the methodology is public, and it will NOT be released

    Kind of selfish, why should the only other owner of a Windows Phone 7 have to pay for their apps?

    • by grcumb ( 781340 )

      Neither the app nor the methodology is public, and it will NOT be released

      Kind of selfish, why should the only other owner of a Windows Phone 7 have to pay for their apps?

      Okay, I chuckled, but there's an interesting point here:

      This is a good opportunity to validate the argument that Windows' popularity is what makes it so prone to attack. Given that Windows Phone 7 is a minor player in the mobile market, it should be exploited significantly less[*] than Android and IOS, for example. Let's keep an eye on this and see whether that hypothesis is borne out....

      --------------
      [*] For the sake of this experiment, let's postulate that 'less' means a smaller number of exploits overal

    • Neither the app nor the methodology is public, and it will NOT be released

      And on the seventh hour, the Developer rested.

  • * Microsoft Kin
    * iPhone antenna
    * Windows Phone 7

    Anything else we should add to the list?

    • Comment removed based on user account deletion
    • * Android 2.2 update bricking nearly all of the Bell branded Samsung Galaxies S that installed it.
    • Not a disaster. Just decent hacks.

      Like the PS3 pseudorandom number. Like rooting various iStuff, or Android. You lock, we unlock. Simple as that.

      Next?

    • VirginMobile eliminating the $15 "text all you want" plan.

      Not exactly a disaster, but now customers must upgrade to the next tier & pay almost twice as much to get the same "unlimited texts" benefit. I don't buy Virgin's excuse that they were losing money on the $15 Texting plan. Texts cost practically nothing.

      • And the heat, water, and electricity must be "free" in your building.

        2000 messages/month of "practially nothing" adds up, and I'm getting plenty of months like that when some "consultant" misconfigures my old, documented, robust alert system and just goes ahead and "turns on everything, to debug". Then everry single one of dozens or hundreds or even thousands of systems starts sending distinct alerts, because they've sidetracked my very careful hierarchy of "if this alert happens, it means the VPN is down:

        • Yes TEXTING does cost practically nothing. "When phones are on and waiting for a phone call or any type of data retrieval, they are ALWAYS connected to the cell phone tower. The phones and cell phone towers exchange little packets worth of information back and forth so when ever a call comes it, they can find you straight away. Can anyone guess how big the packets are that are sent between cell and tower? If you guess 160 characters, you are right." In other words they are charging for a service that s

          • Because nothing else in the world is priced according to the value the buyer places on it instead of according to the cost of production.

            Nothing!

            • Which has nothing to do with my original point:
                - VirginMobile claimed to be losing money on the $15 unlimited texting plan, so they eliminated it. But if texting costs nothing, then Virgin lost nothing. They were lying.

              • I wasn't replying to your original point.

                But. Opportunity cost. Account management overhead. Support costs. Network capacity. etc.

          • Should be free? Because SMSCs cost nothing to implement and run, amirite? And the storage for the text messages is free amirite? Definitely the backhaul getting the text messages from point A to point B for transmission is free.

            Text messages aren't free just because you say so. There's a very real cost associated, and one that someone has to pay for (like, I don't know, the customer). Whether the text message costs too much, well that's a different story. Considering I can flick 5000 text messages fo

            • When you send a text message, it first goes to your friendly neighbourhood SMSC. The SMC then polls the home location register (pre-existing infrastructure) for the location of the recipient's phone. When it gets a valid response, it sends it to the address given by the HLR and forgets all about it. Then Verizon charges you over $14/MB for bandwidth. If you had smart phones with an app that made 300 baud modem noises, it would be a 4 second phone call.
              • Wait, are you telling me your network provider doesn't even bother re-delivering until the receiving phone ACKs it?

                What sort of braindead implementation do you guys use!

                Also, all of that equipment is still not free like commodore64_love claims. So there is a real cost involved. Especially when you consider the cost of the billing systems I explicitly didn't mention in my initial post.

    • This Android bug [engadget.com] seems pretty dour.

      From the comments it seems like not every has this happen, but something to beware of!

  • Or calls? We used to call this phreaking but I guess it's gone out of style.

    • by jo_ham ( 604554 )

      Re: sig

      The avalanche has already started, it is too late for the pebbles to mod, err vote.

    • Much less likely. Enforcing restrictions on the hardware itself(no tethering, only the carrier's shit-tastic navigation application gets access to the GPS hardware, that sort of thing) is common enough; but that doesn't change the fact that the carrier ultimately controls the network, and the network is substantially more sophisticated than it was back when people were Captain Crunching their way past payphones...(also, unlike payphones, most users are now tied to a unique SIM, or CDMA equivalent, rather th
  • What's the over/under on how long till there's an exploit in the wild? A day?

  • It's OK (Score:1, Interesting)

    by sideslash ( 1865434 )
    I have two WP7 apps in the Marketplace, and I don't see this as a disaster, for several reasons: (1) I think it will help Windows Phones get a reputation as a homebrew-capable platform, which will help it build street cred; (2) Microsoft will certainly respond to each of these hacks with counter-measures (and actually the author of this very hack suggested a technique to frustrate it); (3) if people are ripping off my apps, that must mean they really want them -- and it's a fair assumption that most people
    • (1) I think it will help Windows Phones get a reputation as a homebrew-capable platform, which will help it build street cred; (2) Microsoft will certainly respond to each of these hacks with counter-measures

      Neither have been true of the iPhone, even though it's been jailbroken even before there were apps...

      (3) if people are ripping off my apps, that must mean they really want them

      That's the way I've always felt aout piracy. I don't think it represents many lost sales, if any, and in a way it can be good p

      • by vux984 ( 928602 )

        That's the way I've always felt aout piracy. I don't think it represents many lost sales, if any, and in a way it can be good publicity... although I have to say you underestimate the number of pirates that simply horde stuff instead of collecting just apps they want. But again, that's not a lost sale either....\

        I'd mod you up if i could. There is definitely a class of "pirates" that are more like collectors than anything else... they just want to -have- it, not to -use- it. If it has a high retail price al

    • The ideal that most consumers want homebrew applications for any system is laughable. Yes there are people that want that but they're mainly developers and other tech people that take interest in that sort of thing. Everyone else just wants to steal software.

      Take for instance systems that have been around awhile. The GBA only has 50 homebrew titles (maybe a few more that aren't on gbadev.org even if it is one of the main sites) Something newer like the Nintendo DS has approx 120 titles.

      Compare that to
      • I think companies would turn a blind eye if the vast majority of people used these hacks for homebrew only because it sells more hardware and can lead to more software sales.

        Not necessarily. Homebrew competes with legitimate sales of commercial games that use the same rules. Nintendo might argue for every copy of Lockjaw DS [pineight.com] that gets downloaded and installed on an R4, it can't sell a copy of Tetris DS. Or Sony: for every copy of gpSP [wikipedia.org] running Gleam [racketboy.com] or Luminesweeper [pineight.com], it can't sell a copy of Lumines or Lumines II.

        • I think homebrew will always be a niche though. Think about it Lockjaw is arguably taking sales now but they don't shut down homebrew sites.

          They do go after some of the tools (like R4) because it allows people to pirate games. I think most people just graviate towards more popular things. Pop music is generally rubbish but sells well. Lockjaw may very well be a better version of Tetris but doesn't have the name and isn't as flashy and will lack any connection to the leader boards at nintendowifi.com.

          I
          • by tepples ( 727027 )

            Lockjaw may very well be a better version of Tetris but doesn't have the name and isn't as flashy and will lack any connection to the leader boards at nintendowifi.com.

            If the homebrew dswifi library were more mature when Lockjaw was being developed, then it probably would have had its own (parallel) leaderboard. It did have a few high score threads on tetrisconcept.com though.

            I think if a single person was outputting something that was beating a whole team's effort they'd get hired straight away

            Really? Consider the story of Bob's Game [wikipedia.org]. And consider that some people can't be hired because they have family obligations in a state with no video game studios.

  • incorrect info (Score:4, Informative)

    by phantomfive ( 622387 ) on Friday December 31, 2010 @03:11PM (#34724122) Journal
    It's not that hard. There are several ways to do it (as are documented here [xda-developers.com]). It's not even a real crack, you need to have a developer account to even side-load the apps on the phone (you can use the chevron cert also, but if you do that, you need to be careful otherwise all the apps will be erased when you update). In that case you can only upload 10 apps max at a time.

    This is the second slashdot article talking about a WP7 hack that wasn't really a hack. People are having trouble jailbreaking the thing, so we keep seeing articles about meaningless hacks as everyone wants to know when it is really jailbroken.
  • Would you really want your phone locked down so you can't get at it? What is the objection here?

  • It doesn't matter in my eyes; if people are going to want to crack the DRM, they will, if they don't want to steal, they won't. Hey, if I wanted to, I can probably look up how to pirate iPhone apps somewhere on the internet. Pretend these apps were music files or computer games for a second. We have always called for less invasive DRM on both fronts so that people who will to steal the software and files still will do it and people who want to pay and enjoy the product have no trouble doing so. People will

  • Does this mean that I can download any app from the marketplace and install it on my WP7 phone for free? What's an "unlocked" WP7 phone?
    • Does this mean that I can download any app from the marketplace and install it on my WP7 phone for free? What's an "unlocked" WP7 phone?

      It means you can go to places like mobiles24 com and install one of the MANY apps that they have archived from developers(free mostly) like we could previously with WM 6.5 and earlier.

    • by bami ( 1376931 )

      Unlocked means that the phone has been registered to a developer account at the marketplace (and can run unsigned applications).
      So you either have a dev account (tied directly to your name/credit card), or you have jailbroken the phone with chevron WP7 (which requires a cert from their site which has been removed at the request of Microsoft).

Every cloud has a silver lining; you should have sold it, and bought titanium.

Working...