Code Obfuscation and Windows Phone 7 Application Protection

Today most developers registered with the Windows Phone 7 developer program would have received an email entitled Windows Phone 7 App Protection that talks about how to protect the intellectual property within your Windows Phone 7 application. In actual fact it talks very little about this and more about how applications can’t be side loaded (which we all knew anyhow). To draw a quote from the email:

“As a Windows Phone developer you can be assured that Windows Phone Marketplace is operating as designed in providing a level of protection that is in-line with industry practices and sufficient for our own valued content. You can learn about our protection model in the Windows Phone Marketplace Anti-Piracy Model white paper, which outlines our perspective on leak prevention and leak containment. “

To be honest if by “industry practices” you mean that they’re going to publish your application so that it is readily available for anyone interested to download via a web browser, decompress and view using reflector, then we live in a wow-ful industry indeed. In the white paper they acknowledge that Windows Phone 7 applications are not encrypted in any way on the CDN – this makes it a 20 second job to locate, download and open any application posted on marketplace.

They go on about how it’s not possible for someone to re-publish or side-load an application they have downloaded from marketplace. To me the obvious elephant in the room is the fact that anyone can download your application and view your IP.  This is a sad state of affairs and I for one hope that Microsoft have this well and truly on their radars for the first upgrade to Windows Phone 7.

Points to note:

– Don’t assume Microsoft will protect your intellectual property. You’re handing over your application for them to certify, which means your handing over valuable IP for a third party to review. In my mind that’s a BAD, BAD, BAD thing (irrespective of whether it’s available to everyone else).

==> Resolution – Store any valuable IP behind a service. This means that you can protect and/or change it as required

– Don’t include application keys/tokens in your application – Windows Phone 7: Where to store that application key? NOT in the Application(need I repeat this again?)

==> Resolution – Store app keys/tokens behind a service. Whilst not a perfect solution, it does make it slightly harder

– Accessing xaps off marketplace can be done using a proxy (such as fiddler) when you download an app to your phone via zune. I won’t give away too much other than you need to look at the xml file that is retrieved which discloses the direct download url for the xap.

==> Resolution – This information is posted here to put Microsoft on notice: this level of application protection is unacceptable. As a minimum I’d expect some form of encryption of xaps on the wire and something like one time download urls for the xaps. Don’t steal other people’s applications or IP – just because you can, doesn’t make it legal!

Leave a comment