Windows 8 App Store - The APPX Download API is Secure

Once Windows 8 RP was released, the first thing I decided to do was to inspect the capabilities of the App Store. Specifically, I wanted to repeat my Zune Marketplace (also known as the Windows Phone Marketplace to some extent) experiment with capturing API endpoints.

To my surprise (not really), Microsoft secured the store pretty well this time – there are no open HTTP-based endpoints other than those related to application images, like icons and tiles. Even the application metadata is no longer accessible directly and is transmitted through a secure TCP connection.

A quick look at the Wireshark log (was set-up on a Windows 7 cross-proxy, since it won’t work on Windows 8) revealed something interesting while I was downloading Cut The Rope (great game, by the way).

Take a look at this log. Specifically, pay attention to the URL that is being invoked.

Here is a fully-formed URL of the same format:

http://aq.v4.a.dl.ws.microsoft.com/dl/content/a/4/updt/2012/02/278d5ef5-2097-47de-a3a3-49ed870afedb_fdc395ec63fb93abe3c8f94f1c7dbfe9f7a1fc91.appx?P1=1331100439&P2=1&P3=1&P4=pTw1rcFe7d1AI%2bV1VQj71DKWZKk%3d

First of all, you might notice that there is an application ID passed. The APPX extension is a renamed ZIP archive. You can easily open this file with Windows Explorer even on older version of Windows. There are also four parameters, that are strictly enforced. I can see that the first one (P1) is a Unix Timestamp. P2 and P3 are unknown and P4 seems to be the composite hash.

The link is volatile – even if captured through a proxy, it needs to be invoked instantly to trigger a download. Otherwise an Access Denied error will be shown. This is a much more secure scheme compared to Windows Phone, that allows XAP downloads directly through the HTTP pipe without specific verification procedures.