• United States



Hack: Windows Phone Marketplace App-Security Cracked [Video]

Dec 30, 20103 mins
Data and Information SecurityEnterprise ApplicationsMicrosoft

A "white hat" developer created a proof of concept hack that allows any or all of the 5k apps from Windows Phone 7 Marketplace to be downloaded, rips security off, and then deploys to phone.

abstract background light blue
Credit: Illus_man/Shutterstock

The Windows Phone 7 Marketplace is growing at a faster rate than any other app store to date, having over 5,250 apps available for Windows Phone 7 according to the Marketplace Browser. And now a “white hat developer” has cracked the Windows Phone Marketplace app security which could eventually make all 5,256 apps available to users. It took one hacker only six hours to crack.

According to WPCentral, the hacker provided “a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released (please don’t ask). “

Here is the video of the “FreeMarketplace” application in action.

Whether you are cheering or preparing to throw stones, know that WPCentral disagrees with those who condemn them for “promoting piracy.” They say developers have been complaining “about this weakness for months and it is their right to know about the flaws in the system.” Additionally, before they published this FreeMarketplace proof of concept, “WPCentral contacted Microsoft’s Brandon Watson directly about the breach and we are cooperating with Microsoft in any way we can.”

Although the white hat hack is not released, it will be interesting to see how Microsoft reacts over this holiday period. If it took but a few hours to crack Windows Phone Marketplace app-security, that raises serious security questions.  As Microsoft is fully aware, its Marketplace stores more than apps — such as the financial information and details of the apps developers.

Almost immediately after Microsoft released Windows Phone 7, Rafael Rivera, Long Zheng and Chris Walsh went public with the first jailbreaking tool, ChevronWP7, for the phone. Within a few hours, they were under fire from Microsoft and developers. MobileTechWorld’s Makran Daou accused the Windows Phone hackers of giving birth to “piracy heaven.”

The arguments of right or wrong will surely fly, but like it or not, Microsoft seems to move a bit faster to close vulnerabilities once they are publically disclosed. Many within security or developer fields have said Microsoft is informed again and again about the same flaws, that MS can know about them for months, but either do not acknowledge the problem or do not act with any urgency to fix the issues. Earlier this year, some security researchers came together to form MSRC: the Microsoft-Spurned Researcher Collective. There were hostile reactions on both sides when MSRC fully disclosed Windows vulnerability information.

For now, cracking the Windows Phone 7 is proof of concept and not out in the wild. The developer says it will not be released to the public. We’ll see if someone steals the hack and releases that crack. The whitepaper is described on Neowin. Microsoft has had a heck of week, topping 5k in the app Marketplace, while also being embraced to point of a new crack. Does that equal definite success for the new Windows Phone?

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.