Related
According to WPcentral:
Sounds like an innocent blog that reviews apps right? Well the concerns from the Twitter posts is that not only does the site review apps but it also contains download links for the .xap file that is residing on Microsoft's servers.
Even if you download the .xap file, it's going to take some effort to get it installed to your Windows Phone 7.
You will need the developer tools and device that is unlocked for development. While the developer tools are free, you have to be a registered developer to get an unlocked device. You CAN however download the .xap and rename it as a .zip and look at the structure of the app, though we're 99% sure that the real "code" of the app is compiled/encoded/encrypted.
Not many will be able to do much with this downloadable file. That is unless you're a developer looking to download free apps from other developers. Still, one has to wonder why it's so easy for a third party site to provide download links to Marketplace apps.
Click to expand...
Click to collapse
They are talking about the website: http://winmobile7.apphab.com/
Kind of a strange site. They are offering free downloads of paid marketplace applications. Unless you are a developer, you can't do anything with it. But it's still strange...
This sounds like a good way to get in a lot of trouble. I would bet Microsoft can see what apps are installed when the phone checks for marketplace app updates even if you side load it as a developer.
And its still live and offering files to download. Shoddy MS security on display, extremely troubling for devs.
Hopefully Microsoft will look into that site and any similar sites.
We cant have developers loosing money because of these people.
I can't see where you download apps - if its real why not post a link on http://social.answers.microsoft.com/Forums/en-US/windowsphone7/threads ?
It says it's for free and trial versions. Isn't it pointless to provide download files anyway since you can only install apps via the Marketplace?
****, they have my app on there, not happy
my app does support trial, I'm not seeing anything about xap downloads, hopefully this means the breach has been fixed and not that I'm looking in the wrong place
I don't mind free publicity, but I put many hours into that and don't want it spread around in such a way (free, unauthorized downloads, raw code)
Definitely not cool for developers. One issue is that all the apps are silverlight and are only compiled to MSIL. Pop open the binaries with Reflector and you've basically got the source code. All devs should utilize Dotfuscator to at least help with this.
http://windowsteamblog.com/windows_...-with-preemptive-solutions-for-analytics.aspx
ckacey said:
my app does support trial, I'm not seeing anything about xap downloads, hopefully this means the breach has been fixed and not that I'm looking in the wrong place
I don't mind free publicity, but I put many hours into that and don't want it spread around in such a way (free, unauthorized downloads, raw code)
Click to expand...
Click to collapse
It looks like the site that had the links (http://winmobile7.apphab.com) took down the link to the XAPs but I bet the issue is still there. It was a pretty simple URL to the Microsoft server. You just had to know the application's GUID and you could download the XAP.
I don't see how this makes them free... you can easily see you need a registered dev device, I doubt it makes the app "free" because there is a fee you must pay.
efjay said:
And its still live and offering files to download. Shoddy MS security on display, extremely troubling for devs.
Click to expand...
Click to collapse
Microsoft can check your device and see if you have pirated software on it, just like they do for XBox live. They already have the infrastructure in place and if you pirate be prepared to have your phone banned from Marketplace, Zune, XBox Live, etc.
RustyGrom said:
Definitely not cool for developers. One issue is that all the apps are silverlight and are only compiled to MSIL. Pop open the binaries with Reflector and you've basically got the source code. All devs should utilize Dotfuscator to at least help with this.
http://windowsteamblog.com/windows_...-with-preemptive-solutions-for-analytics.aspx
Click to expand...
Click to collapse
Any decent develper will Obfuscate the code. If they didn't, they were kind of asking for it since it's hot hard to intercept data being downloaded over WiFi, etc. The fact that it can only come from the market was never enough to stop people from getting their hands on the files downloaded from said market.
It's no different than any other platform that uses a VM architecture (Android, WP7, WM 6.x .NET CF, Java ME, etc.).
I found my own app there. I don't however see a download link?
--edit: Nvm, should've read the thread to its end.
What is the URL? To replace with GUID or XAP filename? Could always use archive.org.
i guys!i have a mega pack xap installers with games and apps.
i poste for everyone previous.
sorry bad english...
cmpts
is a method to decrypt files xap
http://forum.xda-developers.com/showpost.php?p=34246750&postcount=3
Ok, this may sound a little stupid but please bear with me....
I'm a student, so I have a ".edu" email address which allowed me to sign up for a free dev account.
Although I'm on a Mac I'm downloading parallels desktop so I can get zune software.
From what I understood from reading these forums...I can use the dev tools and unlock my device with Zune?
Is this essentially the same as using Chevron unlocker?
I can't use Chevron Unlocker because I have a HTC Arrive that has the NoDo update already applied...but if I use the above methods, it would be the same...no?
Yes, as far as I am aware.
I am also a student in the uk with an .ac.uk email
I have signed up and my account is started being activated today, will let you know! I am on NoDo too
I also have a .edu account, so this means I can sign up as a developer and get the official unlock code? Would I actually have to do any developing for them to keep my account open?
I don't have NoDo yet but will want to unlock it once it's available (AT&T branded Focus).
This would be interesting because it say's I can have up to 3 registered devices under my Dev Account.
I personally just created it so I could unlock my NoDo Arrive, but I might actually try at creating some apps...I wonder if it's really that hard
its a little more complicated than what it first seems, but nothing too hard.
Sign up through dreamspark, that gets you your account.
To dev unlock the phone you use the windows phone tools that you get through dreamspark, but it wont let you unlock it untill you have activated your developer account through geotrust
To do this on a student account you have to submit and application to microsoft first. I just created a basic dice roller, there are guides on the internet for how to make this app, it only took me two hours to do using the guide, and 1 day after submitting the app to microsoft I got an email from geotrust asking me to validate my account.
To validate you need to fill in the form with a photocopy of your driver licence or passport and email/fax it to them, they then tell microsoft all is good, and your account is activated
But yeh, if your a student, then its definetly worth doing, because you will effectively be "jailbroken" but in a completely legit microsoft are happy way.
The major problem with an actual developer unlock, is there is a limit on the number of applications you can side-load at the same time - 3 for student accounts, 10 for individual/corporate accounts, if I remember correctly. Makes it difficult to use them for homebrew - I know I had more than 10 homebrew applications together.
loomx said:
its a little more complicated than what it first seems, but nothing too hard.
Sign up through dreamspark, that gets you your account.
To dev unlock the phone you use the windows phone tools that you get through dreamspark, but it wont let you unlock it untill you have activated your developer account through geotrust
To do this on a student account you have to submit and application to microsoft first. I just created a basic dice roller, there are guides on the internet for how to make this app, it only took me two hours to do using the guide, and 1 day after submitting the app to microsoft I got an email from geotrust asking me to validate my account.
To validate you need to fill in the form with a photocopy of your driver licence or passport and email/fax it to them, they then tell microsoft all is good, and your account is activated
But yeh, if your a student, then its definetly worth doing, because you will effectively be "jailbroken" but in a completely legit microsoft are happy way.
Click to expand...
Click to collapse
So if we have a student developer account we have to create an app first? Exactly what guide did you use?
I have "ZERO" coding experience, even though I do dabble in web development...is it hard to do? I'm not asking someone to hold my hand, just point me in the general direction.
Isn't there a "hack" available on these forums that allows you to "sideload" more than the limits?
I mean essentially a person could use the free Dev Account to unlock their device, then use the registry hack (available on these forums) to allow more than the limit for sideloading....
...or am I missing something?
Yup there is a hack somewhere, I might give it ago, but TBH, im happy to install the reg editor do the edits and unistall it, then do the same for ringtones and unistall it and so on, and just keep 3 that I really need.
After a bit of googling, it seems it might be even simpler...
You still need to have the Dev tools download from dreamspark, but someone posted that all you need to do is this...
Create a new project.
Build the project.
Look in the bin directory that was created.
Find the .xap.
Then submit that
loomx said:
Yup there is a hack somewhere, I might give it ago, but TBH, im happy to install the reg editor do the edits and unistall it, then do the same for ringtones and unistall it and so on, and just keep 3 that I really need.
After a bit of googling, it seems it might be even simpler...
You still need to have the Dev tools download from dreamspark, but someone posted that all you need to do is this...
Create a new project.
Build the project.
Look in the bin directory that was created.
Find the .xap.
Then submit that
Click to expand...
Click to collapse
So even though it's a "shell" app (empty app) and it would get rejected by AppHub...all that really matters is that you submit something for GeoTrust to send you the verification email???
I'm interested in this aswell. I've just updated to nodo.
I'm currently studying computer science at uni and tempted to do a WP7 app for my final year or in my spare time.
Developer Unlock is the same thing as what Chevron does.
For students that are interested, Microsoft provides the Dreamspark program where they give students access to free software, development tools and WP7 developer registration
ducylowycz said:
So even though it's a "shell" app (empty app) and it would get rejected by AppHub...all that really matters is that you submit something for GeoTrust to send you the verification email???
Click to expand...
Click to collapse
Exactly. That's all you need. Once you submit it you'll just get an email from "GeoTrust" (Hotmail marked it as spam), and then you'll be on your way.
If you like in a country were Marketplace isn't available yet it complicates things a bit.
Even if you get a student account tied to your swedish live-account(like I did) you can't access the Marketplace. But you can still submit apps and get them published with that account!
The only solution here is to get a UK/USA live-account and then jailbreak your phone.
So when NoDo gets released I have to choose between running my own apps or run apps from the Marketplace.
The live account on your phone, doesnt have to match the live account of your developer account as far as I am aware.
My phone is now Dev unlocked and on No-Do.
If you install advance config,it can make it so you can sideload as many apps as you want
Do you think there should be a tut for doing this?
I was thinking of creating one because, as of now, this is the only option to "unlock" our devices.
Ok...I have everything installed but when I "build" the app and submit it to Apphub, it just gives me an exception out of range error...
Any insight?
ducylowycz said:
Do you think there should be a tut for doing this?
I was thinking of creating one because, as of now, this is the only option to "unlock" our devices.
Click to expand...
Click to collapse
It's pretty simple - register your student email with dreamspark
submit an app (doesn't even have to work) to get geotrust to start the identity process
when you verify your identity wait 2 business day
You now have the option to have 3 devices that can be unlocked
For the respective device, go and edit the registry to increase the app loading limit to unlimited (student has I think 3) and you're done
Legit chevron. unlocked device for sideloading. I'll be getting my brother to do it for his phone as well as his school too! Although I can see an impending rape of this...
It's also pretty profitable...
my country is not in the list box, singapore is the closest one, im from indonesia, any suggestion?
domineus said:
It's pretty simple - register your student email with dreamspark
submit an app (doesn't even have to work) to get geotrust to start the identity process
when you verify your identity wait 2 business day
You now have the option to have 3 devices that can be unlocked
For the respective device, go and edit the registry to increase the app loading limit to unlimited (student has I think 3) and you're done
Legit chevron. unlocked device for sideloading. I'll be getting my brother to do it for his phone as well as his school too! Although I can see an impending rape of this...
It's also pretty profitable...
Click to expand...
Click to collapse
I just spent 2 hours to figure out the tools and built a quote of the day app. Just submitted it. Will wait for Geotrust to contact me.
Well although many might abuse it, it will expose students to the platform. MS has really good tools. I am not a computer major, but I managed to build an app in 2 hours. I am quite exited about my app..and I will definitely read more about the tools and try few more things.
PS: now I need to buy a windows phone device :-D
As the title suggests... i have a student developer account with APP HUB, can I update PREVIEW mango version (released/releasing these few days) with my phone still?
As i know, currently its the "paid" developers that have access to Preview mango update.
Let me know~ really hoping this works!!
i want to know too please
toothfish said:
As the title suggests... i have a student developer account with APP HUB, can I update PREVIEW mango version (released/releasing these few days) with my phone still?
As i know, currently its the "paid" developers that have access to Preview mango update.
Let me know~ really hoping this works!!
Click to expand...
Click to collapse
Student App Hub accounts are identical to normal App Hub accounts.
nop they are not, they are similair but different.
I dont think the beta is coming as soon as they said
https://twitter.com/#!/BrandonWatson/status/83158862823297025
Rats...... but thanks for the update~
The update is indeed for paid and registered mango beta testers. So you do not only have to have a paid account, but you also need to be registered for beta testing Mango.
Further more, if you are such developer and you upgrade to Mango, be aware that there are new limitations to sideloading! Many homebrew tools and OEM tools won't be possible to sideload anymore.
When the moment is there that the update is available (not tomorrow), and you do decide to upgrade, I really want to ask everyone to capture the traffic during the update-process with Wireshark. If we have as much captures as possible, we can possibly create our own updater, like Chris Walsh did with NoDo. But we do need as much captures as possible to see which phones get which rom-packages. We should avoid half updates like in the original tool from Chris Walsh.
If you have a capture of the update, please post here.
Thanks,
Heathcliff74
Heathcliff74 said:
The update is indeed for paid and registered mango beta testers. So you do not only have to have a paid account, but you also need to be registered for beta testing Mango.
Further more, if you are such developer and you upgrade to Mango, be aware that there are new limitations to sideloading! Many homebrew tools and OEM tools won't be possible to sideload anymore.
When the moment is there that the update is available (not tomorrow), and you do decide to upgrade, I really want to ask everyone to capture the traffic during the update-process with Wireshark. If we have as much captures as possible, we can possibly create our own updater, like Chris Walsh did with NoDo. But we do need as much captures as possible to see which phones get which rom-packages. We should avoid half updates like in the original tool from Chris Walsh.
If you have a capture of the update, please post here.
Thanks,
Heathcliff74
Click to expand...
Click to collapse
Any How to for capturing the traffic, I'm sure tons of people would like to participate if it was easy. Just start Wireshark and upload the log and that's it?
Yeah man, I'm willing to give this a shot when the update comes out, more than willing for the community... jejeje
I would like to know how to do this. I can post whatever comes out... I have an Arrive... We shall see... jejeje
Sent from my []D[][]V[][]D ARRIVE using Board Express
Heathcliff74 said:
The update is indeed for paid and registered mango beta testers. So you do not only have to have a paid account, but you also need to be registered for beta testing Mango.
Further more, if you are such developer and you upgrade to Mango, be aware that there are new limitations to sideloading! Many homebrew tools and OEM tools won't be possible to sideload anymore.
When the moment is there that the update is available (not tomorrow), and you do decide to upgrade, I really want to ask everyone to capture the traffic during the update-process with Wireshark. If we have as much captures as possible, we can possibly create our own updater, like Chris Walsh did with NoDo. But we do need as much captures as possible to see which phones get which rom-packages. We should avoid half updates like in the original tool from Chris Walsh.
If you have a capture of the update, please post here.
Thanks,
Heathcliff74
Click to expand...
Click to collapse
ok,i'm with an apphub account(student) so the mango update for developers will be available on the dowload section directly on apphub(like the mango SDK 7.1) or i have to register my device ID to my account?
i couldn't myself,it's microsoft to register my device ID to my apphub account it is?
Heathcliff74 said:
When the moment is there that the update is available (not tomorrow), and you do decide to upgrade, I really want to ask everyone to capture the traffic during the update-process with Wireshark. If we have as much captures as possible, we can possibly create our own updater, like Chris Walsh did with NoDo. But we do need as much captures as possible to see which phones get which rom-packages. We should avoid half updates like in the original tool from Chris Walsh.
If you have a capture of the update, please post here.
Thanks,
Heathcliff74
Click to expand...
Click to collapse
I think they'll do something similar to the XBox Dashboard Previews, meaning that ultimately you'll be able to install mango preview on any device, but they'll enable Windows Live sign-in only for registered devices, server side.
Unfortunately Microsoft has always been *****y about these preview things.
blindpet said:
Any How to for capturing the traffic, I'm sure tons of people would like to participate if it was easy. Just start Wireshark and upload the log and that's it?
Click to expand...
Click to collapse
I'm no expert in Wireshark. I know how to use it for my own purposes. So this is what I would do, but if someone else has additional suggestions, feel free to help. The updates are over standard http, not https, so that makes it easier.
- Connect your phone to your computer and wait for Zune to be ready with sync.
- Download and start Wireshark.
- Select the network-interface you want to log (to be sure keep only one network-interface enabled, just to be sure you'll capture the correct interface).
- To be sure you capture the traffic from the phone too, go to menu Edit / Preferences. Select User Interface / Capture. And enable option Capture packets in Promiscuous Mode.
- To filter all unwanted data type this in the Filter textbox: http && !tcp.analysis.out_of_order && !tcp.analysis.retransmission
- Start update with Zune.
- When the update is ready, stop the capture and save it to a file.
To test if this works, do the above and use Internet Explorer on your phone. You should see the traffic in Wireshark.
hd2leo_fusion said:
ok,i'm with an apphub account(student) so the mango update for developers will be available on the dowload section directly on apphub(like the mango SDK 7.1) or i have to register my device ID to my account?
i couldn't myself,it's microsoft to register my device ID to my apphub account it is?
Click to expand...
Click to collapse
I clearly said it was for paid and registered developers. Have you paid for your student account? Guess not. So unfortunately this beta is not going available for you. Even if you would register as a beta-tester. I wouldn't know how to do that anyway, because I haven't done that.
Heathcliff74 said:
I clearly said it was for paid and registered developers. Have you paid for your student account? Guess not. So unfortunately this beta is not going available for you. Even if you would register as a beta-tester. I wouldn't know how to do that anyway, because I haven't done that.
Click to expand...
Click to collapse
Thats interesting... May I ask where you have that information from? I could not find anything on the create.msdn.com (app hub) forums about it. Was it in the news section somewhere?
Quite odd they wont give it to students.
Marvin_S said:
Thats interesting... May I ask where you have that information from? I could not find anything on the create.msdn.com (app hub) forums about it. Was it in the news section somewhere?
Quite odd they wont give it to students.
Click to expand...
Click to collapse
Many sources:
one
two
three
four
......
Ciao,
Heathcliff74
Heathcliff74 said:
Many sources:
one
two
three
four
......
Ciao,
Heathcliff74
Click to expand...
Click to collapse
Yes read those, it does not specifically says student accounts wont get it. Brandon watson also tweeted "@arnehelseth Every developer matters. Every. Single. One. Deep breath everyone". Don't know if this means something and is in the right context or not.
The articles just say it will be released to developer unlocked apphub account, which you can normally get by paying 99$ (they dont speak about student unlocks in particular).
"Neowin has received multiple independent tips that the beta will be made available for all devices through the MSDN Create hub for those with developer accounts, on June 22/23, with Microsoft set to make the announcement sometime during the next 24 hours. The beta will not be restricted to "favorite" developers but will be generally available to anyone with a paid subscription, and will be able to be loaded on any of the production devices."
Yes it indicates paid subscription, however does not really rule out student subscriptions since they are pretty much equal to MS. I dont know if we have to take these words literally or if its quickly written.
"The software giant will also offer beta bits for developers to load directly onto their devices, reports Neowin. Mango ROMs will be made available to existing Windows Phone developers via Microsoft’s App Hub development program. Access to the developer program is charged at $99 per year."
Students have free access to the App Hub development program.
I could not find where you need to sign up for the beta, have not read a mention about this. I could not find it in these sources.
You are probably right though that its only for paid subscriptions, since its easier to check who is a ginuine dev. I just wondered since I have not seen a clear "No to student account" post so I was not really sure about what to believe. Thank you for the clearification.
All sources I read stated that you need to have a paid registration. So it does not say 'no students' but students don't pay, so I guess that rules it out.
About the registered Mango beta tester, I don't see it right now, but I'm sure I've read that.
Anyway, we'll wait and see. Speculating now is not of much use.
Heathcliff74 said:
All sources I read stated that you need to have a paid registration. So it does not say 'no students' but students don't pay, so I guess that rules it out.
About the registered Mango beta tester, I don't see it right now, but I'm sure I've read that.
Anyway, we'll wait and see. Speculating now is not of much use.
Click to expand...
Click to collapse
True, and they can always make a change of heart. Thanks we will see. If students get it, ill try and log the process with wireshark.
Marvin_S said:
True, and they can always make a change of heart. Thanks we will see. If students get it, ill try and log the process with wireshark.
Click to expand...
Click to collapse
Ok. That would be cool. But I have to stress again: If you upgrade to Mango, be aware that there are new limitations to sideloading! Many homebrew tools and OEM tools won't be possible to sideload anymore. So if that is a problem for you, then you shouldn't upgrade. What would be interesting to know is, if you have such software that uses native code (like WP7 Root Tools, TouchXplorer, Screencam, etc) already on your phone, will it still be possible to use it after the upgrade?? And.. will the ChevronWP7 unlock survive the upgrade if you have to "prevent relock tweak" applied??
Heathcliff74 said:
Ok. That would be cool. But I have to stress again: If you upgrade to Mango, be aware that there are new limitations to sideloading! Many homebrew tools and OEM tools won't be possible to sideload anymore. So if that is a problem for you, then you shouldn't upgrade. What would be interesting to know is, if you have such software that uses native code (like WP7 Root Tools, TouchXplorer, Screencam, etc) already on your phone, will it still be possible to use it after the upgrade?? And.. will the ChevronWP7 unlock survive the upgrade if you have to "prevent relock tweak" applied??
Click to expand...
Click to collapse
Yes I know. Thats what I wonder as well. Since we could use OEM apps added trough the marketplace. So upgrading with these apps in place might work. Ill also make a few zune backups so I can roll back just in case.
If roottools still works we might be able to set the prevent relock again. Im wondering about the sideload limit, because thats the most annoying thing for me. 3 is not much to sideload and I like to keep the apps Im developing on my phone to test them on the road.
Well Im trying not to get my hopes up for Mango anytime soon, but if its for students also Ill give it a shot. And I can maybe PM you before, if you can think of some things you want me to test out for you.
As I briefly posted on my blog Monday, Mango will no longer support the deployment of XAPs containing the ID_CAP_INTEROPSERVICES flag. This means you won't be able to deploy your web servers, root tools, and other assorted unsupported hackery.
With our sanctioned, dirt cheap unlock service around the corner, trying to jailbreak NoDo (without upgrade hacks) is a waste of time. I believe the ROI on time spent on hacking this interop limitation is much greater.
This limitation is implemented in PacmanInstaller.exe (on the phone); it scans the manifest for the flag and bails with HRESULT 0x81030120.
As Mango FFUs haven't been released yet, I haven't tested upgrade path 'hacks'; worse, this behavior doesn't appear to be reproducible in the emulator limiting current testing to those w/ Mango phones. (That should change in the next few weeks, hopefully.)
I'm interested to see what ideas you guys have!
How does Microsoft even explain this? What's the point in allowing your unlock officially and then blocking the very functionality we unlock devices for?
Maybe this is a temporary problem?
As far as Microsoft is concerned the new Unlock variant is for people who want to develop for their devices but without intention to publish the results to the Marketplace, e.g. people who want to play around with things.
If you're a Nokia Dev today you get the unlock for free - allowing people to access undocumented APIs is not what Microsoft wants to happen but more to make people experiment with the platform and then perhaps publish their work to Marketplace later on - but that would not be able to happen if those experiments used COM-Interop which is not allowed on the Marketplace.
Well, this way, from an end user perspective, unlocking is useful only for piracy. Getting sideloading without extended capabilities is a weird proposition.
Re hacking Mango, I guess people need to get it on their phones somehow to begin with.
In the other thread I requested that everyone who upgrades makes a wireshark log and post it here, so we can tear it apart. I also left some instductions there.
Plz also let know if apps with native code survive the upgrade and if the chevron unlock with prevent relock survives the update.
Ciao,
Heathcliff74
mfw i already found out a possible solution how to bypass this.
>NoDo needed before Mango.
No trolling. Also, cant say it here on xda, then the Microsofties will pick it up and block...
>Trusted people i can tell, sry.
Thanks for sharing this secret, but up to this moment, Ansar way (flashing stock ROM, then using advanced configuration utility to avoid relocking) is the only effective way.
One could write an application for NoDo, for example a ChevronWP7 Homebrew Enabler, that uses native APIs to modify manifests of homebrew applications found on the phone. Then upgrade to Mango.
There are lots of upgrade scenarios but we have to remember -- new phones will only ship with Mango.
yeah lets tell rafael and his ms homies how the people here try to hack mango, so that he can tell ms to fix it before mango released to everyone.
I hope you wont tell a thing in the public @ fiinix, jaxbox, heathcliff
diboze said:
rafael and his ms homies
Click to expand...
Click to collapse
Really? Rafael informs us of an important issue that we should try resolving, and your response is "OMG he's in bed with Microsoft let's ostracize him"? That saddens me.
@arktronic: please...you cant be this naive...
I won't dignify that with a response.
Oh wait...
There seems to be a way ... for current NoDo users. It is similar to what happened going from original 7008 to NoDo ... in terms of unlocking. I will stop there.
I'm curious, is the ID_CAP_INTEROPSERVICES merely a flag that the xap contains native code, or does the executive actually forbid the application from running native code unless the flag's present?
i.e. could we modify the xap to remove this flag, but still run the native code app on the phone?
elyl said:
I'm curious, is the ID_CAP_INTEROPSERVICES merely a flag that the xap contains native code, or does the executive actually forbid the application from running native code unless the flag's present?
i.e. could we modify the xap to remove this flag, but still run the native code app on the phone?
Click to expand...
Click to collapse
The flag must be present.
diboze said:
yeah lets tell rafael and his ms homies how the people here try to hack mango, so that he can tell ms to fix it before mango released to everyone.
I hope you wont tell a thing in the public @ fiinix, jaxbox, heathcliff
Click to expand...
Click to collapse
You're an idiot.
Here are some things to consider then:
Can something be done to the XAPs to allow the flag? Signing? Other XML file modifications that, in turn, would allow the flag to be used?
Can something be done to the system? A registry change perhaps?
Have any new flags been added to Mango that might also allow low-level system access?
It seems more complicated that just the flag.
Homebrew apps or resigned apps (like Scansearch, or HTC apps) won't run, but official manufacturer apps (Scansearch on LG, HTC apps on HTC) run fine.
So it seems to depends on some certificate.
Also, installing an apps then upgrade to Mango keeps the app on the phone, but it won't allow you to launch it (no error, just launch and quit).
(nico) said:
It seems more complicated that just the flag.
Homebrew apps or resigned apps (like Scansearch, or HTC apps) won't run, but official manufacturer apps (Scansearch on LG, HTC apps on HTC) run fine.
So it seems to depends on some certificate.
Also, installing an apps then upgrade to Mango keeps the app on the phone, but it won't allow you to launch it (no error, just launch and quit).
Click to expand...
Click to collapse
Ah, thanks for testing that. So that means installing an application then upgrading won't be as easy as it sounded.
One test would be to sign a XAP and place your root certificate in the CA store (with Heath's toolset).
diboze said:
yeah lets tell rafael and his ms homies how the people here try to hack mango, so that he can tell ms to fix it before mango released to everyone.
I hope you wont tell a thing in the public @ fiinix, jaxbox, heathcliff
Click to expand...
Click to collapse
I too hope everyone will be a selfish bastard and will never get anything done.
Arktronic said:
Here are some things to consider then:
Can something be done to the XAPs to allow the flag? Signing? Other XML file modifications that, in turn, would allow the flag to be used?
Can something be done to the system? A registry change perhaps?
Have any new flags been added to Mango that might also allow low-level system access?
Click to expand...
Click to collapse
I'm trying some things with the package manager. I haven't got anything yet, but I got some ideas I yet have to try. I'm working on flagging an app as "not being sideloaded".
(nico) said:
It seems more complicated that just the flag.
Homebrew apps or resigned apps (like Scansearch, or HTC apps) won't run, but official manufacturer apps (Scansearch on LG, HTC apps on HTC) run fine.
So it seems to depends on some certificate.
Also, installing an apps then upgrade to Mango keeps the app on the phone, but it won't allow you to launch it (no error, just launch and quit).
Click to expand...
Click to collapse
Ok. So it looks like the package-manager doesn't allow the interop-flag for apps with a full install-cycle through side-loading. The flag is probably allowed for upgrades and marketplace-installs (including DRM licenses). And the PolicyEngine (runtime system) requires the dll's to be signed properly or else it will deny interop to native code.
WithinRafael said:
Ah, thanks for testing that. So that means installing an application then upgrading won't be as easy as it sounded.
One test would be to sign a XAP and place your root certificate in the CA store (with Heath's toolset).
Click to expand...
Click to collapse
Please refer to the opening post of this thread. For the purpose of code-signing the certificates in the "Code Integrity" store are used. The certificates in that store would probably need a signing-root in the CA store. The means that you have to create a certificate that has the properties of a "Code Integrity" certificate AND the properties of a "CA" certificate and then add this cert to both "Code Integrity" and "CA" stores. Then use the private key to sign all the dll's.
If you look at the certs in the "Code Integrity" store, then all, except the one used for LPC singing have this:
Key Usage: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3), Unknown Key Usage (1.3.6.1.4.1.311.10.3.14)
If you look at the certs in the CA store, then you see that they all have:
Certificate Signing, Off-line CRL Signing, CRL Signing (06)
That means that you have to create a cert with:
Key Usage: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Enhanced Key Usage: Code Signing (1.3.6.1.5.5.7.3.3), Unknown Key Usage (1.3.6.1.4.1.311.10.3.14)
Than add this to "Code Integrity" and "CA".
You have to create the cert with OpenSSL. You can't create such a cert with Visual Studio tools.
I already created such a cert. I will create a new version of the WP7 Root Tools and sign the dll's with this cert. And I will make an option to install/uninstall the public cert in "Code Intergrity" and "CA". I advise everyone who wants to try this to first make a backup! Then, when you have this version of the WP7 Root Tools installed and you used it to install the certificates too, then you should try to upgrade to Mango and see if the WP7 Root Tools are still working.
I will let you know when I got this new version of the WP7 Root Tools ready.
Ciao,
Heathlciff74
I'm running MOAR v6.0 MD4 (Android 4.1.2) on Sprint GS3. I never received any alerts from Lookout before but today it report 15 riskware alerts:
com.android.phone
com.mythtrandyr.inkeffectsettings
com.lidroid.settings
com.sonyericsson.lockscreen.uxpnxt
com.jy.iconchanger.ad
de.robv.android.xposed.mods.appsettings
com.asushi.livewallpaper.mytree
com.monotype.android.font.XDAFONTS
com.android.launcher
de.robv.android.xposed.installer
com.android.flashblink
com.sec.android.mimage.photoretouching
com.koo.lightmanager
com.android.lmt
com.lidroid.sgs.secretcode
All have a classification of: Riskware.Android.CompromisedKey.a.
Should I alarmed or this is likely a problem with definition update from Lookout?
Great support from the Lookout guys as I emailed them and they replied right away, here's what they said. I should be okay:
The reason we have flagged this app is as 'Riskware' is due to a special key that this particular developer used when publishing the app. The key is normally a private piece of information that we use to determine if an app is authentic, and to identify the developer. In this particular situation, the developer chose to use a key that has been widely distributed on the internet or has been compromised.
This makes it impossible for us to validate the app and its authenticity. Therefore, we are not calling these apps malware, but we recommend that users not install apps like this because it is inherently more risky (hence the "Riskware" assessment).
If you as a user understands the risk and still decide to trust the app, feel free to ignore the warning.
We have also been seeing some device manufacturer, preinstalled apps also being flagged as 'Riskware' for the same reason. These apps are unable to be uninstalled and we please ask that you ignore the warning if it is an app that came preinstalled on the device. We have reached out to these developers to make the proper changes.
Thanks for using Lookout!
David,
The Lookout Team
mindfulness said:
Great support from the Lookout guys as I emailed them and they replied right away, here's what they said. I should be okay:
The reason we have flagged this app is as 'Riskware' is due to a special key that this particular developer used when publishing the app. The key is normally a private piece of information that we use to determine if an app is authentic, and to identify the developer. In this particular situation, the developer chose to use a key that has been widely distributed on the internet or has been compromised.
This makes it impossible for us to validate the app and its authenticity. Therefore, we are not calling these apps malware, but we recommend that users not install apps like this because it is inherently more risky (hence the "Riskware" assessment).
If you as a user understands the risk and still decide to trust the app, feel free to ignore the warning.
We have also been seeing some device manufacturer, preinstalled apps also being flagged as 'Riskware' for the same reason. These apps are unable to be uninstalled and we please ask that you ignore the warning if it is an app that came preinstalled on the device. We have reached out to these developers to make the proper changes.
Thanks for using Lookout!
David,
The Lookout Team
Click to expand...
Click to collapse
What effect will this have on CM builds because they are using public available keys (https://github.com/CyanogenMod/android_build/tree/gingerbread/target/product/security) to sign ?