Windows Phone 7 developers – Obsfucate your app or have your source code stolen

By Tom Warren, on 12th Nov 10 3:57 pm with 7 Comments

Reports reveal that it’s possible to download all of the current Windows Phone 7 applications packages and extract the source code from some of them.

MobileTechWorld revealed the issues in a blog post on Friday. The root cause is the ability to download XAP files, the type that all Windows Phone 7 applications are packaged in, from an ATOM XML feed. The ATOM XML feed powers Microsoft’s Zune software and allows would-be thief’s to retrieve applications just by reading the XML. Once the XAP is downloaded then it’s possible to gain access to all of the application’s assets, resources and even source code with the use of simple tools like Reflector.

Microsoft recommends that Windows Phone developers “Obfuscate” their app code before submitting it to the Windows Phone Marketplace. The trouble is early application developers who have submitted their apps without Obfuscation are in trouble. Tools to Obfuscate the code have only recently been made available. Having access to the XAP files of applications also means that people are able to run them in the Windows Phone 7 emulator software. XAP files cannot be loaded directly onto Windows Phone 7 retail devices however.

Developers have reacted angrily to the revelations. “I’m so disappointed with Microsoft” said one in the comments on MobileTechWorld, “Oh yeah this is complete BS! Microsoft I feel screwed, screwed, screwed” said another.

Winrumors has asked Microsoft for comment on the issues and at the time of writing has not received a response.

Update: Microsoft has issued the following statement:

“Microsoft evaluates instances where intellectual property may be exposed on a case-by-case basis to determine what, if any, action is warranted. It is important to note that applications obtained from a site like this cannot run on consumer retail devices. These application files are signed and will not run without modification. Such files would only run on the limited number of “unlocked” phones in circulation, such as those that have been registered by a Marketplace developer via App Hub.

Developers that are concerned about unauthorized access to, or use of, their application code always have the option of protecting their applications through the use of code obfuscation tools like the Dotfuscator product recently announced for Windows Phone 7 applications and currently available at no charge from PreEmptive Solutions.”

  • http://techvirtuoso.com Michael Stanclift

    I didn’t know Microsoft was so into open source software :)

  • GP007

    Didn’t they remove the d/l links or something yesterday?

    • Tom W

      From one of the websites yes but the damage has been done and the links are out there.

  • http://twitter.com/quentez Quentin CALVEZ

    Why can’t the XAP package download be available only to the WL IDs who purchased it ? (seems like basic authentication to me…)

  • Aethec

    So what? You can disassemble C/C++ apps written for all operating systems, too – I don’t remember anyone crying about that.

    • Tom W

      Sure, but tools have been out there for developers large and small to protect against this. PreEmptive Solutions ONLY just released a free version.

  • http://twitter.com/ssholst Sebastian Holst

    In fact, Microsoft offers a significantly more robust and thorough mobile app protection and analytics solution than any other dev platform. I just posted a comparison of Android’s and Windows Phone policy and supporting technologies – in my view, MSFT has, in a few short weeks, far surpased the other mobile app dev platforms in this context. http://apps-are-people-too.blogspot.com/2010/11/biting-hand-in-gift-horses-mouth.html