Viewing the source code of installed Windows Store apps on Windows 8

While it isn't surprising that you can access the files of installed Windows Store apps (they are installed locally after all) it might to come as a surprise to some that the code isn't encrypted or obfuscated at all. In my early conversations with Microsoft I was led to believe that the code would be encrypted as part of the signing process, but that isn't true at all.

Getting to the installed apps

Files for installed apps are in C:\Program Files\WindowsApps, which is 'hidden' so make sure you have 'View Hidden Items' turned on. This folder isn't accessible by the governing user even if you are running as the administrator, which you shouldn't be. The easiest way to get access to the folder is to take ownership of the folder and everything in it.  You can do this with Powershell if you like.

Get-ChildItem 'C:\Program Files\WindowsApps' -recurse | ForEach-Object {Get-Acl $_.FullName}

But is remarkably easy to do in the UI, so that is how I did it.  Right click on C:\Program Files\WindowsApps and select Properties, then click on the Security tab. From there you can click Advanced to get the Advanced Security Settings. As you can see from Figure 1, the owner is TrustedInstaller. 

Click the Change link and then type in your Microsoft Account email address. Then press enter, OK, and OK again to close all of the dialog boxes. From there you can easily navigate to any installed apps.

Open one of these, Amazon for instance, and you can see that the file structure is just as it would be in Visual Studio.

From there you can browse at will.

As expected, apps written in C++ or .NET are compiled EXEs, although the XAML is still browsable. Here is Barnes and Noble's Nook app, as a point of comparison.

 

Nothing that a small dose of dotPeek won't fix, I am sure. I'll leave that as an exercise for the reader.

The implications

What are the implications of all of this? Not a lot really. For most apps written in JavaScript, there is nothing there that a quick right-click, browse-source won't do for you on that organization's web site. JavaScript is just as discoverable as HTML in those cases.

For some apps, though, there may be some consideration for keys to services such as Google, Bing or other service providers.  For instance, we are using Weather Underground in an app I am developing, and the client's use key is right there in the settings.js file. Usually, that would be accessed server-side in a regular web app, and apparently we are going to have to do something similar for the Windows 8 app. Perhaps wrapping external services in your own service layer and then accessing those to get the values provided by the original service.

There has been some discussion of changing code, recompiling using the provided key, and getting access to for pay content or disabling ads. I am not a fan of ripping of developers (being one myself) so I won't go into that here. It could be a very significant detriment to those seeking to monetize apps, however.

The most significant thing, as usual, is developer ignorance. If the developer doesn't realize that all of the code is easily browsable, then they may make poor decisions in the construction, commenting or production of the code base.

Lesson learned - code as if someone is watching you. Because they are!

Comments (2) -

Doug Mair
12/18/2012 10:41:09 AM #

I heard the same message as you ... that the files would be encrypted when signed.

That message was also given about WP8 apps.

I wonder if it is still in the plans or if it was too much of a perf issue to implement.

Reminder to self ...  Obsfuscate my apps.

Larry Beall
12/19/2012 4:12:37 PM #

I'm not sure you could obfuscate your code. Would that prevent you from gaining store certification as the reviewer couldn't do any digging?

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList