Windows Phone Store weakness makes exclusive apps accessible to all, we explain how

Earlier today, nosotros reported on a Windows Telephone Store weakness assuasive savvy users to download Nokia-sectional applications onto non-Nokia hardware (well, try to at least, as often those apps are API dependent). But we did a lilliputian more digging and discovered the weakness doesn't simply cover Nokia apps. You can manipulate the Store into providing whatsoever device or operator-exclusive app for your device.

The root crusade appears to lie in the fact that the Store makes app metadata and availability decisions based on URL query parameters that are sent via HTTP and can hands be tampered with. For instance, when viewing Samsung'due south exclusive RSS Times app a Nokia device, your Windows Phone makes a request like to the ane below:

GET /v8/catalog/apps/e7fd6b61-a095-4b06-9fba-005cc9b09267?bone=eight.0.10211.0&cc=US&oc=&lang=en-United states&hw=234879123&dm=RM-820_nam_canada_246&oemId=NOKIA&moId=TRF-US&cf=99-1 HTTP/ane.one

Upon receipt of this request, the Store responds with a bunch of XML-formatted data describing the requested app. I of the elements in the answer – isAvailableInStore – controls the visibility of the Install button in the Store app. In this instance, because we told the Store we're using a Nokia-branded device (run into the oemId parameter?), a Boolean false is returned. The Install button is disabled; we can't install the app.

But what if we replaced that oemId value with say, SAMSUNG?

Using the Fiddler Web Debugger and a simple AutoResponder rule, we successfully spoofed a Samsung Windows Phone and installed RSS Times with no problems.

Information technology'southward not immediately clear how Microsoft will respond to this event. We doubtable Microsoft can remotely reconfigure Shop app behavior, forcing communication through more secure means (east.g. HTTPS). But an increasingly chatty Store app on Windows Phone could impact Store functioning and/or incur boosted bandwidth costs on both ends of the pipe. We'll run across.

Stay tuned and we'll let you know what we hear from Microsoft.

We may earn a commission for purchases using our links. Learn more than.

Dying Light 2 co-op: How to play with online with friends

You don't take to survive the apocalypse alone

Dying Calorie-free 2 co-op: How to play with online with friends

Dying Lite two is an fantabulous game, but it's even more fun when you play it in co-op with your friends. Here's a guide on how y'all and your friends tin can play together, as well as what you need to know about how online play functions.

Minecraft Preview can now be tested by Xbox Insiders on console

New ways to test

Minecraft Preview tin now be tested by Xbox Insiders on console

On Monday, Mojang Studios announced Minecraft Preview, a new Minecraft game that will let players test upcoming changes and updates before they release. Minecraft Preview will eventually replace the current Minecraft: Bedrock Edition beta program, and is coming beginning to iOS and Windows.