Legitimate backdoor in distributing corporate Windows Store apps
Hi, Habr! In this article, we share experiences on the distribution of corporate applications for Windows Store.
We have a client. An excellent customer for whom we have created, implemented and continue to develop a large portal solution for remote agent service. About a year ago, it was decided to create a mobile workplace for an employee based on Windows 8 tablets.
But creating an application is only one task. It was necessary to think over the next step: it should be installed on the tablets of the customer company and go to Russia, because the end users are company representatives in different regions. At the same time, there should be a mechanism for updating the applications, because without this, you understand, nowhere.
At the testing stage, you can use the application for one month by installing a developer license, which we did ( link ). But once it comes time to launch the application in life. We considered various options:
We decided to try to cope with the task ourselves andinvent a bike to create a program that helps to customize the OC before installing the application, directly install and update our application with the Modern UI interface.
The fact is that corporate tablets that are used in the company were x86 with Windows 8 Professional installed. This architecture allows you to run not only applications from the store, but also “good old” programs.
')
So, the algorithm would seem to be standard:
But, as usual, not everything is so smooth - there are nuances. There is another difficulty that Microsoft created for us and which had to be bypassed: on some system configurations, the installation of applications is completely blocked. Applications cannot be installed if the group policy settings are not set to “Allow trusted apps to install”. In this case, the setting itself is not available for some platforms. Details of the sideloading mechanism ( here ).
Application installation is available if:
For Windows 8 Enterprise, Windows 8 Professional:
For Windows 8 Enterprise, Windows 8 Professional, Windows RT operating systems:
In the variant with the addition of computers to the domain, we were denied, but the key for sideloading activation was provided.
What does the key installation and policy setting for the user look like? Maybe the installation instructions sent along with the key solve the problem?
In general, the process for an inexperienced user looks nontrivial, something needs to be done about it. Therefore, we will try to use our installer and automate the process.
So, the proposed solution - the installer program - works as follows: is distributed as an .msi file (mailing list among employees), is installed into the system and works according to the following algorithm:
After installation, the program is minimized to tray and immediately starts an automatic check for updates. If the application is not installed, the following message appears in the tray:
We click on it, the form itself appears, on which there is a brief description of the application, an information window, a progress bar and buttons. In the information window there can be inscriptions of the type: “An update is available ...”, “Application installation ...”, etc.
After installation, the application is in the tray and periodically (several times a day) requests the server for updates. If updates are available, the application notifies the user.
It makes sense to focus a little on the technical implementation of some parts of the program.
The described method of distribution is, of course, very confusing. There are methods for distributing Windows 8 applications much more accurate and convenient. But the conditions in which we were put, forced us to solve the problem in this way. With this solution, you and the customer will not have to buy and configure any third-party systems; You will not load the user with complex application installation algorithms; You will not have reason to fear that the application will not pass certification.
We have a client. An excellent customer for whom we have created, implemented and continue to develop a large portal solution for remote agent service. About a year ago, it was decided to create a mobile workplace for an employee based on Windows 8 tablets.
But creating an application is only one task. It was necessary to think over the next step: it should be installed on the tablets of the customer company and go to Russia, because the end users are company representatives in different regions. At the same time, there should be a mechanism for updating the applications, because without this, you understand, nowhere.
At the testing stage, you can use the application for one month by installing a developer license, which we did ( link ). But once it comes time to launch the application in life. We considered various options:
- Distribution through the app store.
The method seems tempting: we release an application in which the functionality “for our own people” is protected by a password, and only employees can use the application for its intended purpose. But such distribution violates the rules of publication in the app store. There is a high probability to receive a review in response (as it happened with iOS applications):
2.12 We found that your app is a limited company, or set of users - your company. - The use of computer management software organizations , such as Windows Intune ( link ), Air-Watch ( link ).
These are serious decisions that require additional costs for their purchase and configuration; in addition, they should be taken into use by the company's IT services. The use of these systems undoubtedly solves almost all the problems of remote control and monitoring of devices, but at the moment the customer was not ready to configure and use these systems. - As in many cases, there is a way, just need a little search ...
Update Installer
We decided to try to cope with the task ourselves and
The fact is that corporate tablets that are used in the company were x86 with Windows 8 Professional installed. This architecture allows you to run not only applications from the store, but also “good old” programs.
')
So, the algorithm would seem to be standard:
- The user gets the installer and installs the classic update program.
- The program checks the availability of the new version of the application, and if there is one, it downloads the finished package.
- The program deploys the package and runs the installation script.
- And the application is installed / updated.
Sideloading
But, as usual, not everything is so smooth - there are nuances. There is another difficulty that Microsoft created for us and which had to be bypassed: on some system configurations, the installation of applications is completely blocked. Applications cannot be installed if the group policy settings are not set to “Allow trusted apps to install”. In this case, the setting itself is not available for some platforms. Details of the sideloading mechanism ( here ).
Application installation is available if:
For Windows 8 Enterprise, Windows 8 Professional:
- The computer must be in the domain.
- In the group policy settings is set to "Allow trusted apps to install".
For Windows 8 Enterprise, Windows 8 Professional, Windows RT operating systems:
- A special sideloading key must be activated on the computer. The sideloading key is a 25-digit key (similar to an activation key for Windows).
- In the group policy settings is set to "Allow trusted apps to install".
In the variant with the addition of computers to the domain, we were denied, but the key for sideloading activation was provided.
What does the key installation and policy setting for the user look like? Maybe the installation instructions sent along with the key solve the problem?
- First, install the sideloading key. Open a command prompt as an administrator and enter the commands:
slmgr / ipk <sideloding key is here ...>
slmgr / ato ec67814b-30e6-4a50-bf7b-d55daf729d1e- Open the local group policy editor (Start -> gpedit.msc). Find the folder N and change the value of X.
- ...
In general, the process for an inexperienced user looks nontrivial, something needs to be done about it. Therefore, we will try to use our installer and automate the process.
Putting it all together
So, the proposed solution - the installer program - works as follows: is distributed as an .msi file (mailing list among employees), is installed into the system and works according to the following algorithm:
After installation, the program is minimized to tray and immediately starts an automatic check for updates. If the application is not installed, the following message appears in the tray:
We click on it, the form itself appears, on which there is a brief description of the application, an information window, a progress bar and buttons. In the information window there can be inscriptions of the type: “An update is available ...”, “Application installation ...”, etc.
After installation, the application is in the tray and periodically (several times a day) requests the server for updates. If updates are available, the application notifies the user.
It makes sense to focus a little on the technical implementation of some parts of the program.
Code examples
Group Policy Setup
public static void SetGroupPolicy() { var key = Registry.LocalMachine.CreateSubKey(@"Software\Policies\Microsoft\Windows\Appx"); //…… key.SetValue("AllowAllTrustedApps", 1, Microsoft.Win32.RegistryValueKind.DWord); } Installing Sideloading Key
public static void InstallSideloadingKey() { // , sideloading key if (IsSideloadKeyInstalled()) return; Process p = new Process() { StartInfo = new ProcessStartInfo() { FileName = @"C:\Windows\System32\slmgr.vbs", }, }; // p.StartInfo.Arguments = "/ipk " + _sideloadingKey; p.Start(); p.SuppressPopups(); p.Close(); // p.StartInfo.Arguments = "/ato ec67814b-30e6-4a50-bf7b-d55daf729d1e"; p.Start(); p.SuppressPopups(); p.Close(); } Verify that the key is installed
private static bool IsSideloadKeyInstalled() { // , // sideloading key. bool result = false; Process p = new Process() { StartInfo = new ProcessStartInfo() { FileName = @"C:\Windows\System32\slmgr.vbs", }, }; p.StartInfo.Arguments = "/dlv"; // . p.Start(); for (int i = 0; (i < 10) && (!p.HasExited); i++) { p.Refresh(); if (p.MainWindowHandle.ToInt32() != 0) { var list = WindowsHelper.GetChildWindows(p.MainWindowHandle); foreach(var ptr in list) { string windowText = WindowsHelper.GetText(ptr); if(windowText.Contains("APPXLOB") && windowText.Contains(_sideloadingKeyPart)) { result = true; } } // WindowsHelper.CloseWindow(p.MainWindowHandle); Thread.Sleep(1000); } p.Close(); return result; } Install Application Package
public static void UpdateApp(string appxPath) { if (String.IsNullOrEmpty(appxPath)) { // .appxbundle" return; } // // string command = @"/C powershell Add-AppxPackage "; command += appxPath; // ? var package = PackageHelper.GetPackage(); if (package != null) { // - command += " -Update"; } Process p = new Process() { StartInfo = new ProcessStartInfo() { WorkingDirectory = @"C:\", FileName = "cmd.exe", Arguments = command, RedirectStandardOutput = true, UseShellExecute = false, }, EnableRaisingEvents = true, }; p.Exited += (s, e) => { // var pr = s as Process; string text = pr.StandardOutput.ReadToEnd(); if (String.IsNullOrEmpty(text)) { // . . else // . }; p.Start(); // Start process p.WaitForExit(); } Conclusion
The described method of distribution is, of course, very confusing. There are methods for distributing Windows 8 applications much more accurate and convenient. But the conditions in which we were put, forced us to solve the problem in this way. With this solution, you and the customer will not have to buy and configure any third-party systems; You will not load the user with complex application installation algorithms; You will not have reason to fear that the application will not pass certification.
Source: https://habr.com/ru/post/236563/
All Articles