Hacked/Patched XAP apps, bypass Windows Store RRS feed

  • Question

  • Hi, 

    About 1 month ago, I see my app (xap file) hacked and published in too many sites that distribute XAP for windows phone 8, if you download the XAP from windows store, you can unzip it's content, but When I download the xap from hacked sites, I can unzip and refactor the code! and the app bypass windows store then the user can use it without paying its price!

    When I started WP8 dev. I heard that WP7 can be hacked but WP8 cannot!, 

    Its too frustrating, is WP8 hacked now?

    Sunday, February 2, 2014 11:45 AM

All replies

  • You can not unzip XAPs from store unless some force hack is used.

    I am not aware of any way this might be possible, unless you shared your unsigned XAPs (aka, before sending them to marketplace) before hand somewhere.

    Sunday, February 2, 2014 10:27 PM
  • A search for "xap wp8" reveals a multitude of sites offering .xap files that can readily be decompiled and analyzed or deployed to any dev-unlocked phone. It takes less than an hour to unlock a samsung ativ s and get access to the .xap, which is why there are so many sites online.

    So, yes, absolutely, WP8 apps can be hacked with very little effort.

    • Proposed as answer by NoKiPu Friday, June 27, 2014 12:12 PM
    Sunday, February 2, 2014 11:56 PM
  • You are both wrong. On so many levels.

    Even if someone were to have access to the file system, you still can;t do squat with the XAP, because:

    1)Once the XAP is installed on a phone, the XAP is "gone". Any XAP downloaded from the marketplace is compiled to its native image (no MSIL!) thus it is nigh impossible to get the source code back at this point.

    2)"signed" XAPs from the marketplace can not be "unsigned" without knowing the microsoft certificate key (well technically, it is possible, but it is a time consuming process to break the encryption through brute force...maybe they asked the NSA to do it?!).

    3)Even if someone were to unsign your XAP, they can't do squat with your source code because of 1.

    4)You can not sideload (aka use the dev tools to install) a signed XAP.

    You did something at some point which compromised your source code, if you somehow find your app there.

    Also, a lot of developers create nice apps and willingly make them available outside the marketplace, to avoid the API restrictions MS placed in the SDK.

    • Edited by mcosmin Monday, February 3, 2014 10:01 AM
    Monday, February 3, 2014 9:53 AM
  • Many thanks for your reply, 

    I agree with wp8develpder, and I think the other replies are wrong, 

    Please check the site: http://games-wpd.com/



    there are thousands of XAP, all WP8 developer code is compromised now?,  I don't agree with you, I think WP8 is hacked now.

    I didn't share my code with anyone, and I never distributed the XAP, I think we are missing something here.


    • Edited by MetroAir Wednesday, February 19, 2014 7:05 PM added reference
    Monday, February 3, 2014 11:27 AM
  • Was your game XNA?


    Monday, February 3, 2014 4:34 PM
  • No, it is not a game, it is an app, but published on that hacking site.
    Monday, February 3, 2014 4:41 PM
  • What wp8developer says seems possible. If you can root/jailbreak a phone, you have access to the entire filesystem. You can then retrieve the files of a (legitimately installed) app and create a new xap.
    Monday, February 3, 2014 5:22 PM
  • That's just crap. We all wish it was true but it's not. You dont know how distribution works, you don't know the purpose of MDIL (Hint: its not to make decompiling more difficult) but claim some weird stuff about spontaneous combustion of xaps and NSA bullshit. You clearly don't know what's inside the .xap files, so please don't make silly assumptions.

    Samsung pretty badly messed up with their silly Diagnostics app, but it is not going to go away and atm it is extremely easy to access the .xaps and sideload/analyse them. I think MS should address this - there was a reason why the obfuscator was part of WP7. Also, AppStudio makes it way to easy to dev-unlock phones.

    For those who don't believe this, get yourself an ativ for a reality check. It's makes for a very unpleasant experience, unless you believe in open source I suppose.

    Monday, February 3, 2014 11:51 PM
  • I find that quote a bit odd, why does WP7 need obfuscator and WP8 doesn't or are you suggesting that MS rely on not been able to get files off the phone - something Samsung have dropped the ball on?


    • Edited by pkr2000 Tuesday, February 4, 2014 8:28 AM
    Tuesday, February 4, 2014 8:27 AM
  • an XAP contains binaries needed for the app to run.

    There is a difference between a signed XAP and an unsigned one.

    the unsigned XAP, which is originally produce by visual studio, still has its code in MSIL, and can be easily decompiled if it is not obfuscated.

    the signed xap, downloaded from the marketplace is all in native code. Unless someone is really good at disassmebing ARM assembly, there is no way you can get the source code back.

    I checked the website you were talking about.

    The XAPs stored there are mostly homebrewed. Most "cracked" XAPs are WP7 ones.

    Tuesday, February 4, 2014 9:32 AM
  • Dear mcosmin, 

    You said Most cracked XAPs are WP7, Most != All, which means, there is a lot of WP8 cracked, please check again.

    Again, I didn't share my code nor unsigned XAP with anyone, I just published my XAP to Windows Store, and now I can find my XAP (and other developers XAP) distributed for free on too many sites.


    Tuesday, February 4, 2014 11:32 AM
  • "Most" does not imply the other Wp8 are cracked. However, your experience is your experience. If you are convinced you have written a native wp8 app (as apposed to wp7 app running on wp8) and you have not shared it by any other means then you should contact Microsoft directly. Sharing here is good, but if you are convinced of the paper trail of your app then you need to escalate it directly. It may not be that ATIVS 'hack' exposes apps, it could be the people intercepting the app before marketplace, people working on marketplace, a leak in the marketplace, etc, etc. This forum is probably not the best place to get something like this examined. Contact them.


    Tuesday, February 4, 2014 12:12 PM
  • Dear pkr2000, 

    Please visit this link regarding the Samsung issue:

    Samsung ATIV S Hack

    Many thanks


    Wednesday, February 19, 2014 7:03 PM
  • Dear mcosmin, 

    Please visit this link:


    Again, I didn't share my unsigned XAPs with anyone.



    Wednesday, February 19, 2014 7:04 PM
  • Point 1: Repackaged - they've side-loaded a protected XAP without downloading from the store - ooooh

    Point 2: If you have an issue, 'then you should contact Microsoft directly.'


    Wednesday, February 19, 2014 8:08 PM
  • There is always smartest more than smart, so cant blame anyone,
    Sunday, August 17, 2014 5:30 AM