11. November 2010 09:46
Building Windows Phone 7 applications using Visual Studio 2010 and Expression Blend is so much easier than building for any other mobile platform it’s easy to get lulled into a false sense of security. For example to use the Bing Maps control you need to go and register in order to receive an application key that you use in order to remove the warning message that appears in the middle of the maps control. It’s simple to just add this directly into the application via Blend and walk away – job done. Wrong!
Let’s think about the implications of this. What you’ve done is enter an application key into your application, which is going to be distributed via marketplace to any number of devices. This application key identifies your application and permits you access to Bing Maps (which is free for WP7 applications). Now what happens if one of those devices is owned by a malicious user who has completed at least half a computer science degree. It’s highly possible that they can extract the contents of your application, retrieve the plain text key (that’s right, even if you obfuscate your code, chances are this application key is still going to be visible in plain text) and use it in his own applications. Now your account with Bing Maps is getting completely slammed and Microsoft come knocking on your door asking for money!
So, what did you do wrong? You followed the Microsoft samples blindly. You added a secret application key into an application where ALL the code is easily readable (there are countless threads on how to protect your IP within managed application, and by far one of the safest is to put sensitive code in native code but of course you can’t do that with WP7 applications).
So, what can you do to fix it? Well it’s simple really….. don’t put the application key into the application in the first place. Right, but then how can we use for example the Bing maps control? Ok, so this is the crux of the problem, there is no bulletproof way to do this given the application key model. The best you can do is to place the application key behind a service and then either request it each time the application needs it (no caching) or request it the first time and cache it. Not ideal but at least it adds a layer of indirection to wanna-be-hackers.