Securing Windows 8 trial apps/ in app purchases RRS feed

  • Question

  • Is there anyway to secure your trial app and in app content from being unlocked without it being paid for? Or is this something that can only be done from the App Store Provider?

    [Removed Link] (link has space/ also the hosting server my be down need to look for cached page)

    I am currently working on a game for the Windows 8 Marketplace that will have a trial and unlock ability also I wish to have content packs that the users can buy. But after seeing just how easy it is for someone to gain access to that content it is a little disconcerting. There are even script kiddy tools out to unlock apps.

    [Removed Link] (link has space)

    The way this is heading it looks like very soon it will soon be faster to download a program and click "crack" then it will be to put in credit card info and actually buy my program. This is something that needs to be addressed ASAP.

    Tuesday, December 11, 2012 6:43 PM

All replies

  • From the author of hacks: "storing encrypted data locally, alongside with the algorithm and the algorithm key/hash is a recipe for security incidents." 

    Game save editor is nothing new. You don't even need to hack the encryption of game save, if the app stores the data in plain form in memory like int goldBalance, a memory scanning and editing tool is enough to change the gold balance. In online gaming this is an almost solved problem, you simply don't trust any local data, and you put all cheaters in the same server to reduce the award of cheating. Things get tough if you want to run offline as mandated by Microsoft for trial apps.

    You should always store purchase history online as the user expect the purchase to still be valid after moving to another device. Validating the phrase receipts is something the user expects after moving from another device (A user won't want to loose any DLC) and you can do it more frequently. You can make life tougher (e.g. no DLC or DLC expires shortly) if the device is not online, but remember don't put your business logic or important data in plain text or similar, at least add some obfuscation. 

    There are more creative approaches to break into apps when .Net and HTML apps are not invented yet and C++ was the king. We used software protection dongles and the dongle's producer sent a good load of best practices on how to best protect the algorithm inside the dongle, and protect the code in general like placing traps to hang the disassembler (e.g. add an unused jmp to itself or fake an if statement using cmp but leave one of the branch uncoded). And remember that's back in the days when you have to know assembly code to break an app. Technologies change but the rule hasn't changed, our app got pirated eventually. There is no silver bullet to protect your code or data from probing, so if your app is attractive enough, yeah it will be cracked.

    Visual C++ MVP

    Tuesday, December 11, 2012 10:27 PM
  • Wednesday, December 19, 2012 2:48 AM