Remove From My Forums

Prevent an app from being debugged?

Question
0

Sign in to vote

Hi all,

is there a way to prevent an app from being debugged when installed from the store? It seems that our app was hacked using a debugger.

Are there any guidelines to write non-hackable apps?

We are using in-app purchases and store the current game state in a local settings file (which is encrypted).

Thanks

Jürgen

Monday, December 16, 2013 11:08 PM

Answers

0

Sign in to vote
There is no way to block this completely. You can pinvoke IsDebuggerPresent to limit activity when a native debugger is attached, but somebody with a debugger could override that.

As Sheng says, the only way to fully protect your data is to keep it on the server. For the in-app purchase case you can pass the signed receipt to the server so the server can confirm that the purchase was valid. See Validating receipts .

--Rob
- Marked as answer by Rob Caplan [MSFT]Microsoft employee, Moderator Thursday, December 26, 2013 9:49 PM
Tuesday, December 17, 2013 7:59 PM

Moderator
0

Sign in to vote
Whatever check you put in your code can be removed even before your code runs (see DRM and the game industry on Wikipedia). You can't really do anything to the user's machine when your code is not running. See another discussion about this at http://social.msdn.microsoft.com/forums/windowsapps/en-US/7ae29f15-331b-4fa0-a26e-5ef1a3278b68/securing-windows-8-trial-apps-in-app-purchases.
Visual C++ MVP
- Marked as answer by Anne Jing Thursday, December 26, 2013 2:11 AM
Wednesday, December 18, 2013 9:09 PM

All replies

0

Sign in to vote
No you cannot. Your code runs in a lower integrity level than a debugger. If you want to secure the game state, put it on a server.
Visual C++ MVP
- Proposed as answer by Anne Jing Tuesday, December 17, 2013 1:30 AM
Monday, December 16, 2013 11:45 PM
0

Sign in to vote
That does not help. You can use the debugger to manipulate the data sent/received to/from the server.

How do other developers solve this problem?

e.g. when I do an in-app purchase, you can easily step into the correct code branch, to simulate a successful order.

Any ideas?
- Edited by Big 3 Software Tuesday, December 17, 2013 6:45 PM
Tuesday, December 17, 2013 6:43 PM
0

Sign in to vote
There is no way to block this completely. You can pinvoke IsDebuggerPresent to limit activity when a native debugger is attached, but somebody with a debugger could override that.

As Sheng says, the only way to fully protect your data is to keep it on the server. For the in-app purchase case you can pass the signed receipt to the server so the server can confirm that the purchase was valid. See Validating receipts .

--Rob
- Marked as answer by Rob Caplan [MSFT]Microsoft employee, Moderator Thursday, December 26, 2013 9:49 PM
Tuesday, December 17, 2013 7:59 PM

Moderator
0

Sign in to vote

I'm not happy with this answer. Yes, I can put the game state on the server, but when the user uses a Debugger, it is easy to fake the data in the game or the answer from the server.

I think Microsoft should protect all Store apps from being debugged. This is a big security problem for us.

How do other developers solve this problem?

Jürgen

Wednesday, December 18, 2013 8:41 PM
0

Sign in to vote
Whatever check you put in your code can be removed even before your code runs (see DRM and the game industry on Wikipedia). You can't really do anything to the user's machine when your code is not running. See another discussion about this at http://social.msdn.microsoft.com/forums/windowsapps/en-US/7ae29f15-331b-4fa0-a26e-5ef1a3278b68/securing-windows-8-trial-apps-in-app-purchases.
Visual C++ MVP
- Marked as answer by Anne Jing Thursday, December 26, 2013 2:11 AM
Wednesday, December 18, 2013 9:09 PM

Answered by:

Prevent an app from being debugged?

Question

Answers

All replies