Prevent an app from being debugged? RRS feed

  • Question

  • Hi all,

    is there a way to prevent an app from being debugged when installed from the store? It seems that our app was hacked using a debugger.

    Are there any guidelines to write non-hackable apps?

    We are using in-app purchases and store the current game state in a local settings file (which is encrypted).



    Monday, December 16, 2013 11:08 PM


All replies

  • No you cannot. Your code runs in a lower integrity level than a debugger. If you want to secure the game state, put it on a server.

    Visual C++ MVP

    • Proposed as answer by Anne Jing Tuesday, December 17, 2013 1:30 AM
    Monday, December 16, 2013 11:45 PM
  • That does not help. You can use the debugger to manipulate the data sent/received to/from the server.

    How do other developers solve this problem?

    e.g. when I do an in-app purchase, you can easily step into the correct code branch, to simulate a successful order.

    Any ideas?

    Tuesday, December 17, 2013 6:43 PM
  • There is no way to block this completely. You can pinvoke IsDebuggerPresent to limit activity when a native debugger is attached, but somebody with a debugger could override that.

    As Sheng says, the only way to fully protect your data is to keep it on the server. For the in-app purchase case you can pass the signed receipt to the server so the server can confirm that the purchase was valid. See Validating receipts .


    Tuesday, December 17, 2013 7:59 PM
  • I'm not happy with this answer. Yes, I can put the game state on the server, but when the user uses a Debugger, it is easy to fake the data in the game or the answer from the server.

    I think Microsoft should protect all Store apps from being debugged. This is a big security problem for us.

    How do other developers solve this problem?


    Wednesday, December 18, 2013 8:41 PM
  • Whatever check you put in your code can be removed even before your code runs (see DRM and the game industry on Wikipedia). You can't really do anything to the user's machine when your code is not running. See another discussion about this at http://social.msdn.microsoft.com/forums/windowsapps/en-US/7ae29f15-331b-4fa0-a26e-5ef1a3278b68/securing-windows-8-trial-apps-in-app-purchases.

    Visual C++ MVP

    • Marked as answer by Anne Jing Thursday, December 26, 2013 2:11 AM
    Wednesday, December 18, 2013 9:09 PM