How Secure Is Windows Phone 7 App Code?
A recent glitch on Microsoft's download servers for brand new Windows Phone 7 applications has sparked widespread Internet chatter among developers and focused new attention on the best ways to protect smartphone apps from being hacked.
The MobileTechWorld Web site discovered that it was possible for registered developers with "unlocked" phones to download the basic code package, in Microsoft's XAP file format, directly from Microsoft's online servers, bypassing the company's online Zune marketplace. The XAP "package" could then be subjected to a variety of well-known tools to break down the files into their constituent elements, including any data or intellectual property that the developer might want to keep hidden.
The ease of unpacking is due to the underlying foundation for Windows Phone 7 apps -- a version of Microsoft's .Net code framework. The application code runs in a virtual machine, which interprets it and makes calls to the underlying operating system. For WP7, the virtual machine is provided by either Microsoft Silverlight or Microsoft XNA Studio. From the outset, .Net applications, like those of other managed code environments such as Java (and by extension Android, among other mobile operating systems) have been easy to disassemble for experienced programmers.
"A WP7 XAP [pronounced 'zap'] is nothing more than a zip file with an XML manifest in it," says Kevin Hoffman, Windows developer and author. ".Net developers have always known that their applications…were subject to disassembly. Tools like ILDASM.EXE and Reflector have always allowed anyone with even a basic knowledge of .Net to crack open the file and, in many cases, read completely un-obscured source code."
Though .Net is unique to Microsoft, the overall application architecture is not. Pirated applications in the Android OS community are a long-standing problem, which some feel is getting worse. Google has taken a range of recent measures to make it more difficult. (See "Android software piracy rampant despite Google's efforts to curb.")
Microsoft quickly closed the particular XAP download loophole, which in any case was one that only registered developer phones, not the consumer WP7 handsets, could use. "It is important to note that applications obtained from a site like this cannot run on consumer retail devices. These application files are signed and will not run without modification. Such files would only run on the limited number of 'unlocked' phones in circulation, such as those that have been registered by a Marketplace developer via [the online developer portal] App Hub," Microsoft said in its response to the incident.
For novices, the ease with which their applications can be unpacked may be disquieting. Some online forums were filled with fulminations and outrage. But the same forums also showed that experienced .Net developers, like Hoffman, were well aware of the issue, which, as they pointed out, is not unique to Microsoft.
"This response seems to be pretty nonchalant considering Microsoft has just confirmed that, for a period, all 2,000 applications in marketplace could be downloaded and used by an unlocked device," wrote Pradeep Viswav, a Microsoft Student Partner pursuing a computer science and engineering degree, and a blogger at the WMPowerUser.com site.
Not everyone agreed.
"[A]ny .Net developer that has a clue knows this and would obfuscate their program if they wanted to be a little more secure," writes Windows developer Bobby Cannon. "However even obfuscated code can be decompiled and ran on an unlocked device."
An unidentified programmer with Seles Games, identified on its Twitter and Facebook accounts as an WP7 game and apps developer, took issue with Cannon on two points, angry that the XAP files were unsecured to start with, and angry that the obfuscation tools have only just become available.
"This is not about whether a XAP can be decompiled," this coder wrote. "It is about, why would those XAPs ever be exposed via a web service call?? In other words, why are they exposed to the world so easily? Huge oversight on Microsoft's end, and this will rub a lot of developers the wrong way. Also, obfuscation tools were only released last week for Windows Phone 7. Many apps were released a month ago. Do the math!"
Another programmer, identified as Clint, sided with Cannon. "As a developer and one who has a product in the [Zune] Marketplace I would have been pretty naive to think that my app was protected in any shape or form," he wrote. "It is just the nature of things when it comes to software. I fully expect that someone at XDA or elsewhere will come up with a way to unlock a phone without being a developer. It is bound to happen at some point."
Microsoft recommends the use of a technique called code obfuscation, which uses a variety of techniques to make it harder for a hacker to decipher and recover the underlying source code. Opinions on its usefulness vary widely and sometimes wildly. In general, many programmers who use obfuscation see it as just one of the steps they can and should take to protect their applications, data, and intellectual property where protection is needed.
Microsoft just announced a partnership with PreEmptive Solutions, offering a new release of that vendor's Dotfuscator product, along with a set of analytics for measuring application downloads, performance and problems. The 4.9 release is being offered free to Windows Phone 7 developers until March 31. After that the vendor will charge the developer a monthly fee, less than $10, according to Microsoft. The vendor says developers are being offered the commercial grade product, not a less functional "community" version.
There are other obfuscation tools, such as Crypto Obfuscator from LogicNP Software.
"Obfuscation helps, but doesn't present an insurmountable obstacle," says Hoffman, voicing what seems to be a widely held view among many developers. "The only 100% reliable way to make sure that your app doesn't leak important information is not have that important information in your app."
Hoffman says the place for such information, including algorithms, codes, keys and so on, is in the cloud, not on the phone. If the app must store important information locally, it should be encrypted.
The design approach, he says, should embody the advice once given to him by a security consultant: "No matter how strong or high you build your walls, someone will always get in, or over. It's your job as a developer to make sure that when they do, there's nothing useful for them on the other side."
John Cox covers wireless networking and mobile computing for Network World.
Blog RSS feed: http://www.networkworld.com/community/blog/2989/feed
Read more about anti-malware in Network World's Anti-malware section.