The principal engineer for Nokiaâ€™s WP7 and WP8 devices has demonstrated, in rather frank detail, how to pirate Windows 8 Metro apps, how to bypass in-app purchases, and how to remove in-game ads. These hacks arenâ€™t exactly easy, but more worryingly theyâ€™re not exactly hard either.
On his blog Justin Angel shows that turning a trial version of a Metro app into the full version â€” i.e. pirating an app â€” is scarily simple. Itâ€™s just a matter of downloading a free, open-source tool, and then using it to change a Metro appâ€™s XML attribute from â€œTrialâ€ to â€œFull.â€ Likewise, a quick change to a XAML file can remove an appâ€™s ads.
Ultimately, all of these hacks represent ways of getting stuff for free. This is obviously bad news for developers, who probably donâ€™t realize that by allowing trial downloads they are opening themselves up to piracy. In-app ads and purchases are massive revenue streams for developers, and yet we now see that itâ€™s very easy to circumvent both.
You can protect these files with encryption â€” and indeed, some of them are â€” but thatâ€™s no good if you have access to the code that performs the encryption. As Angel says, â€œWe have the algorithm used for encryption, we have the hash key and we have the encrypted data. Once we have all of those itâ€™s pretty simple to decrypt anything.â€ Angel notes that there are some security mechanisms in place that stopped him from directly editing app DLL and JS files, but, as we can see, that didnâ€™t stop him from pirating apps or bypassing in-app purchases.
Itâ€™s easy to blame Microsoft for this, but really this is an issue that is intrinsic to all installed applications. The fact is, Windows 8 Metro apps are stored on your hard drive â€” and this means that you have access to the code and data. In general, every installed application is vulnerable to these kinds of attacks. Hex editors, save game editors, bypassing Adobeâ€™s 30-day trials by replacing DLL files, pirating Windows 8 apps â€” these are all just different incarnations of the same attack vectors.