Windows Phone 7 and app piracy - closer than we think [Security Whitepaper]
Walking the fine line between black and white hat security, XDA member V@l€n has gone and posted a detailed "security whitepaper" on the state of app piracy in the Windows Phone Marketplace.
We almost hate to write on the topic since it will attract claims of supporting piracy, but the fact is developers and Microsoft need to know just how vulnerable the platform is so that it can be improved on before it's a problem. And that's just it, right now there is no issue with app piracy for Windows Phone, but it is inching closer and once those few remaining hurdles are cleared, there will literally be a flood of pirated apps on the market.
But before we jump into all of that, lets detail exactly what is going on here. For better or worse, V@l€n has done a great job of outlining all the steps needed to make a ridiculous piracy campaign, showing all the necessary procedures that need to be cleared.
Follow us after the jump as we walk through this story...
As mentioned earlier, app piracy just does not exist yet in the Marketplace. But what V@l€n has done is given potential "black hat" developers a step by step guide on how to make such piracy happen. More importantly, V@l€n veers on advocacy here by wanting to "liberate" apps from Microsoft's "oppressive Featured Apps section" undermining his whiepaper's credibility in just preventing piracy. But putting aside judgment on motivation, lets look at the crux of the issue.
The steps needed to break down Microsoft's security is summarized as follows:
- Download all the apps from the Marketplace: done (or can be done)
- Seed those apps in a torrent for peer to peer distribution
- Circumvent the 10 sideload app limit: done (see here)
- Enable a disabled app: tricky, but can be done, no method to do it en masse
- Get around code obfuscation (not mentioned by V@l€n, we'll do it for him)
- Remove XAP security signature: needs work
Like we said, V@l€n doesn't seem aware that the 10-sideloaded app limit has already been breached, nor does he mention any potential use of code obfuscation which Microsoft is openly advocating and offering to developers for free.
Still, as can be seen above, the road to a completely open and hacked Marketplace is not that far off and in fact, seems within reach if and when more developers (black and white hat) begin tampering with the OS and development tools. None of this is unusual for any new OS and there is no 100% foolproof solution (iOS is cracked wide open and there is even a pirated app store for the platform that makes stealing software as easy as buying legit).
The real question is this: Is Microsoft prepared for this and do they have extra security features waiting in the wings to either prevent or quickly ameliorate any such security breach when it happens?
That we don't know and is what should concern commercial developers.
Source: XDA Forums; Thanks, V@l€n, for the info