So what’s the big deal? Well it is apparently possible to download all the Windows Phone 7 applications packages (the full XAP package) directly from Microsoft’s server without the need of Zune Desktop software or a WP7 device. Several shady websites like this one have also appeared on the web to easily allow this to happen (thankfully Microsoft made them take down the links). The problem here is that the Zune software uses ATOM XML feeds to retrieve the applications info so it’s fairly easy to grab the direct link to the XAP package just by looking at the xml (the Marketplace coms don’t even use SSL). Once the XAP is downloaded anybody can unzip it and have access to all the application’s assets and resources and with the simple use of Reflector can even access the source code of the app.
Mircosoft’s lame “solution” is to ask developers to use code Obfuscator tools like DotFuscator in their apps before submitting them. Unfortunately this tools has only been available a few days ago so all developers who already submitted apps are kinda screwed for now and Obfuscating the apps code isn’t going to change much anyway. Obviously the best solution would be to have the XAP encrypted but this isn’t the case yet and Microsoft isn’t saying when (if ever) this will happened (it was talked about a while ago with regards to the old WM Marketplace iirc). And just for your information; the XAP can’t be directly deployed to a retail WP7 phone but can be ran in the emulator (though it should be fairly easy to strip the digital signature/certificate and recompile the code to deploy to a device) . This is a messy situation folks and many developers aren’t happy about what is going on.