How secure is Windows Phone 7 app code?

A recent glitch on Microsoft's download servers for brand new Windows Phone 7 applications has sparked widespread Internet chatter among developers and focused new attention on the best ways to protect smartphone apps from being hacked.

A recent glitch on Microsoft's download servers for brand new Windows Phone 7 applications has sparked widespread Internet chatter among developers and focused new attention on the best ways to protect smartphone apps from being hacked.

Microsoft crafts shrewd apps plan for Windows Phone 7 launch

The MobileTechWorld Web site discovered that it was possible for registered developers with "unlocked" phones to download the basic code package, in Microsoft's XAP file format, directly from Microsoft's online servers, bypassing the company’s online Zune marketplace. The XAP "package" could then be subjected to a variety of well-known tools to break down the files into their constituent elements, including any data or intellectual property that the developer might want to keep hidden.

The ease of unpacking is due to the underlying foundation for Windows Phone 7 apps -- a version of Microsoft's .Net code framework. The application code runs in a virtual machine, which interprets it and makes calls to the underlying operating system. For WP7, the virtual machine is provided by either Microsoft Silverlight or Microsoft XNA Studio. From the outset, .Net applications, like those of other managed code environments such as Java (and by extension Android, among other mobile operating systems) have been easy to disassemble for experienced programmers.

“A WP7 XAP [pronounced ‘zap’] is nothing more than a zip file with an XML manifest in it,” says Kevin Hoffman, Windows developer and author. ".Net developers have always known that their applications…were subject to disassembly. Tools like ILDASM.EXE and Reflector have always allowed anyone with even a basic knowledge of .Net to crack open the file and, in many cases, read completely un-obscured source code."

Though .Net is unique to Microsoft, the overall application architecture is not. Pirated applications in the Android OS community are a long-standing problem, which some feel is getting worse. Google has taken a range of recent measures to make it more difficult. (See "Android software piracy rampant despite Google's efforts to curb.")

Microsoft quickly closed the particular XAP download loophole, which in any case was one that only registered developer phones, not the consumer WP7 handsets, could use. "It is important to note that applications obtained from a site like this cannot run on consumer retail devices. These application files are signed and will not run without modification. Such files would only run on the limited number of 'unlocked' phones in circulation, such as those that have been registered by a Marketplace developer via [the online developer portal] App Hub," Microsoft said in its response to the incident.

For novices, the ease with which their applications can be unpacked may be disquieting. Some online forums were filled with fulminations and outrage. But the same forums also showed that experienced .Net developers, like Hoffman, were well aware of the issue, which, as they pointed out, is not unique to Microsoft.

"This response seems to be pretty nonchalant considering Microsoft has just confirmed that, for a period, all 2,000 applications in marketplace could be downloaded and used by an unlocked device," wrote Pradeep Viswav, a Microsoft Student Partner pursuing a computer science and engineering degree, and a blogger at the site.

Not everyone agreed.

"[A]ny .Net developer that has a clue knows this and would obfuscate their program if they wanted to be a little more secure," writes Windows developer Bobby Cannon. "However even obfuscated code can be decompiled and ran on an unlocked device."

An unidentified programmer with Seles Games, identified on its Twitter and Facebook accounts as an WP7 game and apps developer, took issue with Cannon on two points, angry that the XAP files were unsecured to start with, and angry that the obfuscation tools have only just become available.

"This is not about whether a XAP can be decompiled," this coder wrote. "It is about, why would those XAPs ever be exposed via a web service call?? In other words, why are they exposed to the world so easily? Huge oversight on Microsoft's end, and this will rub a lot of developers the wrong way. Also, obfuscation tools were only released last week for Windows Phone 7. Many apps were released a month ago. Do the math!"

Another programmer, identified as Clint, sided with Cannon. "As a developer and one who has a product in the [Zune] Marketplace I would have been pretty naive to think that my app was protected in any shape or form," he wrote. "It is just the nature of things when it comes to software. I fully expect that someone at XDA or elsewhere will come up with a way to unlock a phone without being a developer. It is bound to happen at some point."

Microsoft recommends the use of a technique called code obfuscation, which uses a variety of techniques to make it harder for a hacker to decipher and recover the underlying source code. Opinions on its usefulness vary widely and sometimes wildly. In general, many programmers who use obfuscation see it as just one of the steps they can and should take to protect their applications, data, and intellectual property where protection is needed.

Microsoft just announced a partnership with PreEmptive Solutions, offering a new release of that vendor's Dotfuscator product, along with a set of analytics for measuring application downloads, performance and problems. The 4.9 release is being offered free to Windows Phone 7 developers until March 31. After that the vendor will charge the developer a monthly fee, less than $10, according to Microsoft. The vendor says developers are being offered the commercial grade product, not a less functional "community" version.

Details can be found at PreEmptive's product page and blog, with some additional links to other resources.

There are other obfuscation tools, such as Crypto Obfuscator from LogicNP Software.

"Obfuscation helps, but doesn't present an insurmountable obstacle," says Hoffman, voicing what seems to be a widely held view among many developers. "The only 100% reliable way to make sure that your app doesn't leak important information is not have that important information in your app."

Hoffman says the place for such information, including algorithms, codes, keys and so on, is in the cloud, not on the phone. If the app must store important information locally, it should be encrypted.

The design approach, he says, should embody the advice once given to him by a security consultant: "No matter how strong or high you build your walls, someone will always get in, or over. It's your job as a developer to make sure that when they do, there's nothing useful for them on the other side."

John Cox covers wireless networking and mobile computing for Network World.


Blog RSS feed:

Read more about anti-malware in Network World's Anti-malware section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftsmartphoneswirelessNetworkingsoftwarePhonesapplication developmentconsumer electronicsprogrammingAccess control and authentication

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Cox

Network World
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >




Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?