Reports reveal that it’s possible to download all of the current Windows Phone 7 applications packages and extract the source code from some of them.
MobileTechWorld revealed the issues in a blog post on Friday. The root cause is the ability to download XAP files, the type that all Windows Phone 7 applications are packaged in, from an ATOM XML feed. The ATOM XML feed powers Microsoft’s Zune software and allows would-be thief’s to retrieve applications just by reading the XML. Once the XAP is downloaded then it’s possible to gain access to all of the application’s assets, resources and even source code with the use of simple tools like Reflector.
Microsoft recommends that Windows Phone developers “Obfuscate” their app code before submitting it to the Windows Phone Marketplace. The trouble is early application developers who have submitted their apps without Obfuscation are in trouble. Tools to Obfuscate the code have only recently been made available. Having access to the XAP files of applications also means that people are able to run them in the Windows Phone 7 emulator software. XAP files cannot be loaded directly onto Windows Phone 7 retail devices however.
Developers have reacted angrily to the revelations. “I’m so disappointed with Microsoft” said one in the comments on MobileTechWorld, “Oh yeah this is complete BS! Microsoft I feel screwed, screwed, screwed” said another.
Winrumors has asked Microsoft for comment on the issues and at the time of writing has not received a response.
Update: Microsoft has issued the following statement:
“Microsoft evaluates instances where intellectual property may be exposed on a case-by-case basis to determine what, if any, action is warranted. It is important to note that applications obtained from a site like this cannot run on consumer retail devices. These application files are signed and will not run without modification. Such files would only run on the limited number of “unlocked” phones in circulation, such as those that have been registered by a Marketplace developer via App Hub.
Developers that are concerned about unauthorized access to, or use of, their application code always have the option of protecting their applications through the use of code obfuscation tools like the Dotfuscator product recently announced for Windows Phone 7 applications and currently available at no charge from PreEmptive Solutions.”