Windows Phone 7: Translator Sample, an example in what not to do!

I’ve posted about this before but now I feel the urge to say it again following the Real Apps, Real Codepost by Mark Hopkins (by the way I actually think this post and the use of samples is fantastic, I just like this example).

If you look at the Translator Starter Kit section there is a link to the Translator Starter Kit topic. Here the guidance suggests that you should get an AppID and add it into your application.

image

Surely they can’t be serious – DO NOT PUT APPLICATION KEYS INTO THE APPLICATION ITSELF. Application Keys/Ids are a web construct and work well when they’re in a configuration file on a server. If someone gets access to them then you’ve got bigger concerns than whether they’re going to be using your app key for some malicious purpose.

With an app key/id placed within your Windows Phone 7 application it’s about a 2 minute job for anyone with Fiddler and Reflector (after coughing up $35 to Redgate – talk about bad form!!!) to extract your Application key/id.

Unfortunately there is no holy grail for how you should deal with app key/ids. Some solutions rely on them being placed on a server and then retrieved when the application is run; some solutions distribute parts of the app key/id throughout the application, making it hard for someone to extract it. Essentially it comes down to security by obscurity which is not a great position to be in. When will the industry learn that app keys/ids are not the answer.

Leave a comment