Nick's .NET Travels

Continually looking for the yellow brick road so I can catch me a wizard....

Code Obfuscation and Windows Phone 7 Application Protection

Today most developers registered with the Windows Phone 7 developer program would have received an email entitled Windows Phone 7 App Protection that talks about how to protect the intellectual property within your Windows Phone 7 application. In actual fact it talks very little about this and more about how applications can’t be side loaded (which we all knew anyhow). To draw a quote from the email:

“As a Windows Phone developer you can be assured that Windows Phone Marketplace is operating as designed in providing a level of protection that is in-line with industry practices and sufficient for our own valued content. You can learn about our protection model in the Windows Phone Marketplace Anti-Piracy Model white paper, which outlines our perspective on leak prevention and leak containment. “

To be honest if by “industry practices” you mean that they’re going to publish your application so that it is readily available for anyone interested to download via a web browser, decompress and view using reflector, then we live in a wow-ful industry indeed. In the white paper they acknowledge that Windows Phone 7 applications are not encrypted in any way on the CDN – this makes it a 20 second job to locate, download and open any application posted on marketplace.

They go on about how it’s not possible for someone to re-publish or side-load an application they have downloaded from marketplace. To me the obvious elephant in the room is the fact that anyone can download your application and view your IP.  This is a sad state of affairs and I for one hope that Microsoft have this well and truly on their radars for the first upgrade to Windows Phone 7.

Points to note:

- Don’t assume Microsoft will protect your intellectual property. You’re handing over your application for them to certify, which means your handing over valuable IP for a third party to review. In my mind that’s a BAD, BAD, BAD thing (irrespective of whether it’s available to everyone else).

==> Resolution – Store any valuable IP behind a service. This means that you can protect and/or change it as required

- Don’t include application keys/tokens in your application - Windows Phone 7: Where to store that application key? NOT in the Application(need I repeat this again?)

==> Resolution – Store app keys/tokens behind a service. Whilst not a perfect solution, it does make it slightly harder

- Accessing xaps off marketplace can be done using a proxy (such as fiddler) when you download an app to your phone via zune. I won’t give away too much other than you need to look at the xml file that is retrieved which discloses the direct download url for the xap.

==> Resolution – This information is posted here to put Microsoft on notice: this level of application protection is unacceptable. As a minimum I’d expect some form of encryption of xaps on the wire and something like one time download urls for the xaps. Don’t steal other people’s applications or IP – just because you can, doesn’t make it legal!

Comments (3) -

  • sebastian

    11/17/2010 7:14:01 AM | Reply

    To provide balance, i think it is worth noting that Android (based upon Java - managed code that is equally as vulnerable to reverse engineering) has an almost identical policy. The difference is that Google recommends an open source obfuscator (that lacks even the ability to break tools like Reflector) whereas Microsoft's approach is to ensure that all developers have free access to a commercial obfuscation and instrumentation platform in Dotfuscator and Runtime Intelligence. For a more detailed comparison of Android and WP7 including links to their policies, visit http://apps-are-people-too.blogspot.com/2010/11/biting-hand-in-gift-horses-mouth.html and for a list of resources and an FAQ on Runtime Intelligence for Windows Phone, visit http://apps-are-people-too.blogspot.com/2010/11/you-cant-see-me-im-obfuscating-on.html

    To be clear - threats stemming from reverse engineering of managed code do not go away with obfuscation - (not for Java, .NET, or Mono) but the controls and technologies to mitigate these risks are well understood. For a broader discussion on measuring the materiality of these risks and variety of controls that are available, here is an ISSSA Journal arcticle - http://www.preemptive.com/images/stories/white_papers/Risks_Unique_to_Java_and_NET_ISSA1109.pdf

  • Cpap Mask

    11/17/2010 11:02:49 PM | Reply

    Thanks for sharing info. Keep up the good work...We hope you will visit our blog often as we discuss topics of interest to you.

  • nick

    11/18/2010 1:57:21 AM | Reply

    Sebastian

    I know only too well how weak the ip protection story is in the Android space - we endured an hour long session at the recent Google technology user group here in Sydney talking about how to protect applications from being copied and distributed outside of the Android app store. Their answer was essentially obfuscation too.

    The point in my post was that for Microsoft to come out and say that they are doing as much as they can to protect the IP of developers building for the Windows Phone 7 platform is absolute rubbish. Whilst there may be time/resource constraints on how they've implemented it initially, it's far from the best they can do. As I pointed out, at a minimum the xap files should be encrypted - all users have to sign into their device using a Windows Live Id prior to accessing the marketplace so there is a way to authenticate users which is the first step in establishing a secure channel over which the xaps can be passed. To have them freely available for anyone to download at [b]any[/b] time is just poor architecture decisions imho.

Pingbacks and trackbacks (1)+

Loading