Microsoft faults developers for cracked Windows Store apps

Microsoft says a crack which allows hackers to download paid-for Windows Store apps without spending a dime is the fault of insecure app code and not a Windows Store issue. Redmond is essentially placing the onus of protecting apps against this particular type of exploit is on developers.

In October, intrepid codesmiths discovered a way to transmogrify trial apps into their full-fledged, paid-for counterparts. The crack, which is also open source, exploits in-app purchase mechanics – which rely on local Windows system files – to unlock the full version of many trial apps. 

Any successful software distribution channel faces the challenge of being targeted by people wishing to circumvent the system for ill-gotten gains and we're committed to ongoing protection of both customer and developer interests. Just as they have with other platforms, hackers are proposing ways to compromise the integrity of apps, which can have lots of negative consequences to the system and the customer experience.

Source: engadget.com, Microsoft spokesperson

Incidentally, other app markets have suffered from similar issues, like Apple's Mac App Store and its iOS counterpart.

Just yesterday, we mentioned a Nokia engineer who who talked about the inherent issues responsible for piracy on the Windows Store. The crux of the matter, according to Justin Angel, is that the Windows Store allows important app data to be stored locally on the device instead of securely hosted on a remote server. Any locally stored data can easily be accessed and modified, making app hacking and cracking an always-possible affair.

When Apple suffered its own similar issues, it gave this advice to developers: follow the App Store's recommended security guidelines. Unsurprisingly, this is precisely the same recommendation prescribed by Microsoft, who thoroughly details this issue on its MSDN blog. According to the software maker, developers who make use of digital receipt verification and secure otherwise sensitive content on a remote server instead of locally inside the app, shouldn't be susceptible to these kinds of hacks.