Nick's .NET Travels

Continually looking for the yellow brick road so I can catch me a wizard....

Windows Phone 7: Where to store that application key? NOT in the Application

Building Windows Phone 7 applications using Visual Studio 2010 and Expression Blend is so much easier than building for any other mobile platform it’s easy to get lulled into a false sense of security. For example to use the Bing Maps control you need to go and register in order to receive an application key that you use in order to remove the warning message that appears in the middle of the maps control. It’s simple to just add this directly into the application via Blend and walk away – job done. Wrong!

Let’s think about the implications of this. What you’ve done is enter an application key into your application, which is going to be distributed via marketplace to any number of devices. This application key identifies your application and permits you access to Bing Maps (which is free for WP7 applications). Now what happens if one of those devices is owned by a malicious user who has completed at least half a computer science degree. It’s highly possible that they can extract the contents of your application, retrieve the plain text key (that’s right, even if you obfuscate your code, chances are this application key is still going to be visible in plain text) and use it in his own applications. Now your account with Bing Maps is getting completely slammed and Microsoft come knocking on your door asking for money!

So, what did you do wrong? You followed the Microsoft samples blindly. You added a secret application key into an application where ALL the code is easily readable (there are countless threads on how to protect your IP within managed application, and by far one of the safest is to put sensitive code in native code but of course you can’t do that with WP7 applications).

So, what can you do to fix it? Well it’s simple really….. don’t put the application key into the application in the first place. Right, but then how can we use for example the Bing maps control? Ok, so this is the crux of the problem, there is no bulletproof way to do this given the application key model. The best you can do is to place the application key behind a service and then either request it each time the application needs it (no caching) or request it the first time and cache it. Not ideal but at least it adds a layer of indirection to wanna-be-hackers.

Comments (3) -

  • Fabien Ruffin

    11/12/2010 12:36:07 AM | Reply

    Hi Nick,

    I though about exactly the same problem and came up with the same solution: using a service. The problem is that it's also easy to just plug the phone to your computer so it uses your internet connection and then monitor it to see where the app goes (It's actually probably even easier than getting the xap back from the phone). Then once you've found the service, you can get the key, and as a developer you're back to square one.

    Unless of course, you protect your web service access by a key that you would store in... hang on, something sounds wrong :)

  • unlocked cell phones

    11/14/2010 11:48:03 PM | Reply

    Yeah, it's not ideal but I would trade security for convenience any day.  Until they find a more secure way of doing it I would go with your suggestion - request it each time behind a service.

    - Janice Ratliff

  • air max shoes

    3/26/2011 7:08:26 PM | Reply

    So, what did you do wrong? You followed the Microsoft samples blindly. You added a secret application key into an application where ALL the code is easily readable (there are countless threads on how to protect your IP within managed application, and by far one of the safest is to put sensitive code in native code but of course you can’t do that with WP7 applications).

Pingbacks and trackbacks (2)+

Loading