[UPDATE: I added comments by WP7 programmer, Andy Wigley; and added a mention in paragraph #1 that this applies only to un-locked WP7 devices. -- JC]
A software developer has created a demonstration program that effortlessly, and without payment, downloads and installs any Windows Phone 7 app from Microsoft’s Windows Phone Marketplace to an unlocked WP7 handset. At present, that’s a relatively small number of devices, each of them, at least in theory, associated to a registered developer.
The program, dubbed FreeMarketplace, was disclosed by WPCentral.com, after its unnamed creator contacted editor Dan Rubino, who labels it a “proof of concept” application. The piracy app was created in about six hours by its lone author, according to Rubino. The original post includes a video showing the program in action.
At least some experienced developers say they’re not worried by what they assess as a limited threat.
“As an app developer, I’m sleeping easily!” says Andy Wigley, a Windows Phone 7 Development MVP, and co-founder of APPA Mundi, Ltd, a U.K.-based development shop. “There will always be exploits, but I’m not concerned about a few copies of my apps getting onto a few phones for free. I would be more concerned about my IP [intellectual property] being stolen by [means of] the app being decompiled in a tool such as Reflector….”
FreeMarketplaced will not be publicly released, nor will any details of how it actually works. Rubino says that Microsoft has been contacted about the program, and about the specific security holes it exploits to bypass Marketplace’s Digital Rights Management protections. So far, there has been no comment by Microsoft.
In the video, Rubino types a search term (“movies”) into one field of the barebones FreeMarketplace UI. The program downloads a list of Marketplace apps that match it. For the demo, Rubino selects the free Fandango movie app, and decides whether to save it to a hard disk or deploy it directly to an unlocked Windows Phone handset.
The program download’s the Fandango XAP (pronounced “zap”) package, essentially a zip file with XML files and an XML manifest for installation. This specific step is not new: it makes use of a known characteristic of Microsoft’s current download infrastructure — the ability to download a XAP file directly from Microsoft’s online servers, bypassing the Zune marketplace.
Nor are the security issues associated with this new (See “How secure is Windows Phone 7 app code?”), namely, using some well-known tools, such as Reflector, as mentioned by Andy Wigley, to break into the XAP and lay bare its contents, including data or intellectual property that the developer might want to keep secret.
What is new in FreeMarketplace, noted by Peter Bright at Ars Technica, is that the program modifies the package in some way so that so that it can be deployed and run on the phone. The piracy app apparently was inspired by a “whitepaper” that appeared earlier, and very briefly, this week at the XDA-developers forum. That post described one way to modify the XAP so it could be deployed and run on the phone. Rubino covered the details in an earlier WPCentral post.
Currently, only a relatively small number of Windows Phone devices are unlocked, officially available only to registered developers. “To get an unlocked phone, you [as a developer] have to pay Microsoft $99, unless you’re a student in the Dreamspark program,” says Wigley. “Even then, the marketplace for unlocked XAPs has to be publicized amongst users, which is a challenge in itself. “
That’s because, he says, plenty of “law-abiding WP7 users” refuse to unlock their phone, and second “would feel uncomfortable getting apps from an unregulated source, for fear that the apps might have Trojans incorporated.”
Earlier this week, Windows Phone Marketplace surpassed 5,000 apps, according to one unofficial tally. Piracy of paid apps directly threatens the livelihood of developers who create and sell them. It’s been a serious issue for the Android community and Google has been expanding its efforts to combat it.
