How secure is Windows Phone 7 app code?

A recent glitch on Microsoft's download servers for brand new Windows Phone 7 applications has sparked widespread Internet chatter among developers and focused new attention on the best ways to protect smartphone apps from being hacked.

A recent glitch on Microsoft's download servers for brand new Windows Phone 7 applications has sparked widespread Internet chatter among developers and focused new attention on the best ways to protect smartphone apps from being hacked.

Microsoft crafts shrewd apps plan for Windows Phone 7 launch

The MobileTechWorld Web site discovered that it was possible for registered developers with "unlocked" phones to download the basic code package, in Microsoft's XAP file format, directly from Microsoft's online servers, bypassing the company’s online Zune marketplace. The XAP "package" could then be subjected to a variety of well-known tools to break down the files into their constituent elements, including any data or intellectual property that the developer might want to keep hidden.

The ease of unpacking is due to the underlying foundation for Windows Phone 7 apps -- a version of Microsoft's .Net code framework. The application code runs in a virtual machine, which interprets it and makes calls to the underlying operating system. For WP7, the virtual machine is provided by either Microsoft Silverlight or Microsoft XNA Studio. From the outset, .Net applications, like those of other managed code environments such as Java (and by extension Android, among other mobile operating systems) have been easy to disassemble for experienced programmers.

“A WP7 XAP [pronounced ‘zap’] is nothing more than a zip file with an XML manifest in it,” says Kevin Hoffman, Windows developer and author. ".Net developers have always known that their applications…were subject to disassembly. Tools like ILDASM.EXE and Reflector have always allowed anyone with even a basic knowledge of .Net to crack open the file and, in many cases, read completely un-obscured source code."

Though .Net is unique to Microsoft, the overall application architecture is not. Pirated applications in the Android OS community are a long-standing problem, which some feel is getting worse. Google has taken a range of recent measures to make it more difficult. (See "Android software piracy rampant despite Google's efforts to curb.")

Microsoft quickly closed the particular XAP download loophole, which in any case was one that only registered developer phones, not the consumer WP7 handsets, could use. "It is important to note that applications obtained from a site like this cannot run on consumer retail devices. These application files are signed and will not run without modification. Such files would only run on the limited number of 'unlocked' phones in circulation, such as those that have been registered by a Marketplace developer via [the online developer portal] App Hub," Microsoft said in its response to the incident.

For novices, the ease with which their applications can be unpacked may be disquieting. Some online forums were filled with fulminations and outrage. But the same forums also showed that experienced .Net developers, like Hoffman, were well aware of the issue, which, as they pointed out, is not unique to Microsoft.

"This response seems to be pretty nonchalant considering Microsoft has just confirmed that, for a period, all 2,000 applications in marketplace could be downloaded and used by an unlocked device," wrote Pradeep Viswav, a Microsoft Student Partner pursuing a computer science and engineering degree, and a blogger at the site.

Not everyone agreed.

"[A]ny .Net developer that has a clue knows this and would obfuscate their program if they wanted to be a little more secure," writes Windows developer Bobby Cannon. "However even obfuscated code can be decompiled and ran on an unlocked device."

An unidentified programmer with Seles Games, identified on its Twitter and Facebook accounts as an WP7 game and apps developer, took issue with Cannon on two points, angry that the XAP files were unsecured to start with, and angry that the obfuscation tools have only just become available.

"This is not about whether a XAP can be decompiled," this coder wrote. "It is about, why would those XAPs ever be exposed via a web service call?? In other words, why are they exposed to the world so easily? Huge oversight on Microsoft's end, and this will rub a lot of developers the wrong way. Also, obfuscation tools were only released last week for Windows Phone 7. Many apps were released a month ago. Do the math!"

Another programmer, identified as Clint, sided with Cannon. "As a developer and one who has a product in the [Zune] Marketplace I would have been pretty naive to think that my app was protected in any shape or form," he wrote. "It is just the nature of things when it comes to software. I fully expect that someone at XDA or elsewhere will come up with a way to unlock a phone without being a developer. It is bound to happen at some point."

Microsoft recommends the use of a technique called code obfuscation, which uses a variety of techniques to make it harder for a hacker to decipher and recover the underlying source code. Opinions on its usefulness vary widely and sometimes wildly. In general, many programmers who use obfuscation see it as just one of the steps they can and should take to protect their applications, data, and intellectual property where protection is needed.

Microsoft just announced a partnership with PreEmptive Solutions, offering a new release of that vendor's Dotfuscator product, along with a set of analytics for measuring application downloads, performance and problems. The 4.9 release is being offered free to Windows Phone 7 developers until March 31. After that the vendor will charge the developer a monthly fee, less than $10, according to Microsoft. The vendor says developers are being offered the commercial grade product, not a less functional "community" version.

Details can be found at PreEmptive's product page and blog, with some additional links to other resources.

There are other obfuscation tools, such as Crypto Obfuscator from LogicNP Software.

"Obfuscation helps, but doesn't present an insurmountable obstacle," says Hoffman, voicing what seems to be a widely held view among many developers. "The only 100% reliable way to make sure that your app doesn't leak important information is not have that important information in your app."

Hoffman says the place for such information, including algorithms, codes, keys and so on, is in the cloud, not on the phone. If the app must store important information locally, it should be encrypted.

The design approach, he says, should embody the advice once given to him by a security consultant: "No matter how strong or high you build your walls, someone will always get in, or over. It's your job as a developer to make sure that when they do, there's nothing useful for them on the other side."

John Cox covers wireless networking and mobile computing for Network World.


Blog RSS feed:

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags application developmentprogrammingNetworkingsecurityMicrosoftwirelesssmartphonesAccess control and authenticationPhonessoftwareconsumer electronics

More about Amazon.comAmazon Web ServicesFacebookGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Cox

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts