DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone >

Windows 8 App Store - The APPX Download API is Secure

Denzel D. user avatar by
Denzel D.
·
Jun. 04, 12 · · Interview
Like (0)
Save
Tweet
11.50K Views

Join the DZone community and get the full member experience.

Join For Free

Once Windows 8 RP was released, the first thing I decided to do was to inspect the capabilities of the App Store. Specifically, I wanted to repeat my Zune Marketplace (also known as the Windows Phone Marketplace to some extent) experiment with capturing API endpoints.

To my surprise (not really), Microsoft secured the store pretty well this time – there are no open HTTP-based endpoints other than those related to application images, like icons and tiles. Even the application metadata is no longer accessible directly and is transmitted through a secure TCP connection.

A quick look at the Wireshark log (was set-up on a Windows 7 cross-proxy, since it won’t work on Windows 8) revealed something interesting while I was downloading Cut The Rope (great game, by the way).

image

Take a look at this log. Specifically, pay attention to the URL that is being invoked.

WIRECHECK

Here is a fully-formed URL of the same format:

http://aq.v4.a.dl.ws.microsoft.com/dl/content/a/4/updt/2012/02/278d5ef5-2097-47de-a3a3-49ed870afedb_fdc395ec63fb93abe3c8f94f1c7dbfe9f7a1fc91.appx?P1=1331100439&P2=1&P3=1&P4=pTw1rcFe7d1AI%2bV1VQj71DKWZKk%3d

First of all, you might notice that there is an application ID passed. The APPX extension is a renamed ZIP archive. You can easily open this file with Windows Explorer even on older version of Windows. There are also four parameters, that are strictly enforced. I can see that the first one (P1) is a Unix Timestamp. P2 and P3 are unknown and P4 seems to be the composite hash.

The link is volatile – even if captured through a proxy, it needs to be invoked instantly to trigger a download. Otherwise an Access Denied error will be shown. This is a much more secure scheme compared to Windows Phone, that allows XAP downloads directly through the HTTP pipe without specific verification procedures.

API App Store (iOS/iPadOS) app security Download

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Top Soft Skills to Identify a Great Software Engineer
  • How To Integrate Event Streaming Into Your Applications
  • Waterfall Vs. Agile Methodologies: Which Is Best For Project Management?
  • Fintech and AI: Ways Artificial Intelligence Is Used in Finance

Comments

Partner Resources

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo