How Secure is Windows Phone 7 App Code?
A recent glitch on Microsoft's download servers for brand new Windows Phone 7 applications has sparked widespread Internet chatter among developers and focused new attention on the best ways to protect smartphone apps from being hacked.
The MobileTechWorld Web site discovered that it was possible for registered developers with "unlocked" phones to download the basic code package, in Microsoft's XAP file format, directly from Microsoft's online servers, bypassing the company's online Zune marketplace. The XAP "package" could then be subjected to a variety of well-known tools to break down the files into their constituent elements, including any data or intellectual property that the developer might want to keep hidden.
The ease of unpacking is due to the underlying foundation for Windows Phone 7 apps -- a version of Microsoft's .Net code framework. The application code runs in a virtual machine, which interprets it and makes calls to the underlying operating system. For WP7, the virtual machine is provided by either Microsoft Silverlight or Microsoft XNA Studio. From the outset, .Net applications, like those of other managed code environments such as Java (and by extension Android, among other mobile operating systems) have been easy to disassemble for experienced programmers.
"A WP7 XAP [pronounced ‘zap'] is nothing more than a zip file with an XML manifest in it," says Kevin Hoffman, Windows developer and author. ".Net developers have always known that their applications...were subject to disassembly. Tools like ILDASM.EXE and Reflector have always allowed anyone with even a basic knowledge of .Net to crack open the file and, in many cases, read completely un-obscured source code."
Though .Net is unique to Microsoft, the overall application architecture is not. Pirated applications in the Android OS community are a long-standing problem, which some feel is getting worse. Google has taken a range of recent measures to make it more difficult. (See "Android software piracy rampant despite Google's efforts to curb.")
Microsoft quickly closed the particular XAP download loophole, which in any case was one that only registered developer phones, not the consumer WP7 handsets, could use. "It is important to note that applications obtained from a site like this cannot run on consumer retail devices. These application files are signed and will not run without modification. Such files would only run on the limited number of 'unlocked' phones in circulation, such as those that have been registered by a Marketplace developer via [the online developer portal] App Hub," Microsoft said in its response to the incident.
For novices, the ease with which their applications can be unpacked may be disquieting. Some online forums were filled with fulminations and outrage. But the same forums also showed that experienced .Net developers, like Hoffman, were well aware of the issue, which, as they pointed out, is not unique to Microsoft.