Current Windows Phone 7 marketplace allows anybody to download the XAP package and look at the application's source code

So what’s the big deal? Well it is apparently possible to download all the Windows Phone 7 applications packages (the full XAP package) directly from Microsoft’s server without the need of Zune Desktop software or a WP7 device. Several shady websites like this one have also appeared on the web to easily allow this to happen (thankfully Microsoft made them take down the links). The problem here is that the Zune software uses ATOM XML feeds to retrieve the applications info so it’s fairly easy to grab the direct link to the XAP package just by looking at the xml (the Marketplace coms don’t even use SSL). Once the XAP is downloaded anybody can unzip it and have access to all the application’s assets and resources and with the simple use of Reflector can even access the source code of the app.


Mircosoft’s lame “solution” is to ask developers to use code Obfuscator tools  like DotFuscator in their  apps before submitting them. Unfortunately this tools has only been available a few days ago so all developers who already submitted apps are kinda screwed for now and Obfuscating the apps code isn’t going to change much anyway. Obviously the best solution would be to have the XAP encrypted but this isn’t the case yet and Microsoft isn’t saying when (if ever) this will happened (it was talked about a while ago with regards to the old WM Marketplace iirc). And just for your information; the XAP can’t be directly deployed to a retail WP7 phone but can be ran in the emulator (though it should be fairly easy to strip the digital signature/certificate and recompile the code to deploy to a device) . This is a messy situation folks and many developers aren’t happy about what is going on.

  • Anonymous

    This is not a big problem. It is a HUGEEEE problem. I’m so disappointed with Microsoft.
    As for the Dotfuscator “solution” i contacted preemptive solutions to ask how much it costs: They made me a very generous offer: 2000 euros! WHAT? seriously who would spend 2000 euros to protect 1 dollar apps?!
    And don’t even mention the free edition of the program. It’s completely useless. Check the comparison:
    http://www.preemptive.com/products/dotfuscator/compare-editions

  • Anonymous

    No one said development was cheap.

  • http://twitter.com/emalamisura Eric Malamisura

    Oh yeah this is complete BS! Microsoft I feel screwed, screwed, screwed!!! Thanks!

  • Richardbk2

    For WP7 apps hosted on the marketplace, there is a free version of Dotfuscator available here http://www.preemptive.com/know-more/windows-phone-7. It has the functionality of the professional product, not the community version. You simply have to request the “WP7″ license.

  • http://twitter.com/emalamisura Eric Malamisura

    Richard thats only free until March, after which point it cost money!

  • Sebastian

    Let me add some more context to Eric’s comment above – the current agreement between Microsoft and PreEmptive expires on April 1 (that’s true), BUT both parties are committed to extending the agreement in some form in order to continue to offer WP7 developers a low/no cost solution for both protection and analytics. This is NOT a try-buy scenario (not that there’s anything wrong with that either as far as mobile apps go).

  • Gfinzer

    Deep Sea Obfuscator will Obfuscate Windows Phone 7 Apps. It is way cheaper than Dotfuscator. That is what we are using.

  • Billspaulidng33

    this isnt a microsoft specific problem. reverse engineering someones code has been an issue for a long time across may of platforms. look at flash you have companys like southink that made a living off selling software to extract assets from a flash fla… which can be easily downloaded from any site

  • http://twitter.com/ssholst Sebastian Holst

    Cheaper than free? sweet.

  • http://twitter.com/ssholst Sebastian Holst

    For those that may be interested to compare Android’s policy on if/when/how to obfuscate with Windows Phone’s – i have tried to lay it out in mostly tabular form here – http://apps-are-people-too.blogspot.com/2010/11/biting-hand-in-gift-horses-mouth.html it also points to another article on managing the risks that stem from reverse engineering (either .NET or Java) apps.

  • Ewout Prangsma

    Whow that’s cheap :-)

    You can purchase DeepSea Obfuscator for USD 299,-

    Ewout Prangsma
    http://www.deepseaobfuscator.com

  • http://twitter.com/joelmartinez Joel Martinez

    Guys, let’s keep things in perspective. There should be no trade secrets in a WP7 xap … just some databinding and some art. Anything that is a trade secret should reside in the cloud and accessed via web services. Anything else, you can protect with trademark and copyright law.

  • Bugagag

    “(thankfully Microsoft made them take down the links)”

    By the way, Microsoft did nothing to take links down from the website: http://winmobile7.apphab.com.
    Microsoft don’t give a shit about developers.

  • Anti Bugagag

    @Bugagag – You dickheard. How about providing constructive feedback instead of spouting that same old tired shit? What a freaking moron you must be.

  • Johnny

    Good for you. Switch to Android.

  • Meeeee

    Developers are unhappy?? How bout go to the iphone or android where you don’t even require a pc to pirate apps. How can someone even develop something and expect it not to be pirated. Stupid developers tbh.