I have been playing with the Windows Phone 7 SDK for a while now, however I have been lucky to still have a day-job while doing my tinkering and therefore haven’t sourced my main income from sales in the WP7 marketplace. There are others who don’t have the same luxury as me and have bet a considerable amount of their time on the platform to date. Whether these developers are aware of it or not they are fighting a silent battle that I want to bring more awareness to – a problem that every smart phone ecosystem has faced to date: Piracy.
This problem is a worry as it affects Windows Phone devices more than some other platforms as we write our applications in languages that can easily be decompiled: get an app’s binaries, and you have mapped the apps very genome, its source code. A problem which once done is out there forever – if people get your app’s code or resources now, the game is up even if Microsoft releases a fix in the future. Hopefully by raising more awareness of this, together we can challenge Microsoft to put more effort into this area moving forward.
NOTE:
I need to be really clear before I start. This post does not promote piracy on the Windows Phone 7 platform. I personally develop apps for Windows Phone 7 and have a vested interest in the platform’s success. Hiding facts that are publically available does not increase this behaviour but it definitely brings it out of the shadows for all to see (and implement change).What I am trying to do is bring up a topic that is not a new one for Windows Phone but appears to have been un-addressed by Microsoft since 2010. This issue can’t go away until more effort is made in this area or the problem will only get worse as time goes on.
On a side note, I also tried to contact a number of people at Microsoft to get their view before posting this post however, after a week or trying, I am yet to hear from anyone.
What this post will cover:
- Piracy on Windows Phone 7: It exists, and more attention needs to be given to it.
- How to pirate a Windows Phone 7 app.
- A closer look at how the piracy app I'm using works.
- What can you as a developer do about this problem on your apps.
Piracy on Windows Phone 7
All of the smartphone “walled gardens” share one thing: Piracy. Apple being the leader in this space with the iOS platform and knows this better than any of us; People have been pirating iPhone games for years with some stats showing that for every app sold 10 more are pirated on the IOS platform.
Windows phone 7 has been no different, with WP Central reporting that piracy was easily achievable way back in 2010. There have been many such reports since then. There is still little or no blocks in someone’s way from firstly side loading apps easily onto devices (be they pirated or not) or more worryingly simply sniffing the Zune traffic and then downloading the XAP directly from Microsoft. It’s now nearly 2 years since this news first came to light and little appears to have changed; there are still apps out there that enable these same hacks to be conducted easily by the everyday lay person.
My large concern about this is the double whammy that is Piracy on WP7 - iOS apps are built in objective-c, which while not making iOS apps immune to decompilation; it does make the act of decompiling a lot more challenging for any would be pirates.
Windows Phone 7 apps don’t have anywhere near this level of complexity when it comes to decompiling the source code and assets that a game or app is made with. We build our apps using the .Net framework in any of its supported languages, which in turn gets compiled into an intermediate language (MSIL) that by its very nature is powerful because it’s not low level.
As I'm sure you are all aware, If you get a .Net framework assembly (.dll) and arm yourself with on of the multitude of decompilers on the open web, you very soon have a readable copy of a binary’s source code.
If you are a Windows Phone 7 developer this is all a little unnerving when you consider how much time and effort you’ve poured into your app.
Taking a closer look at the facts:
- Device owners can easily unlock their phones for side loading fun both legally and using hacks (even if semi legitimately done with something like ChevronWP7).
- Getting an unadulterated copy of an application or game’s XAP file is trivial (more on this in a sec).
- Once anyone has the XAP for your app, they can then easily grab your source code and resources, further allowing them to do what they want with it. Side load it for free, or extract your app’s resources for nefarious purposes.
My concern grows when I consider that in the last year there have been instances where pirates have downloaded an app’s XAP from the Windows Phone 7 marketplace, created a developer account and submitted the same app themselves (with Microsoft approving it). There has also been a case where pirates have downloaded an App, copied its contents and created a competing app with the original developers resources (in this case their Yoga video content, created by their wife…).
There is little we can do about the first or third step mentioned above, but I think Microsoft can do more about the second item – the ease of getting an apps package.
Is this really a problem?
Over the last few days I have been touching base with a few people in the community about this. Many have said similar things: prove this is a problem, and we’ll give it more thought.
One comment from Justin Angel (a Nokia principal engineer on WP7) said this:
While I must apologise before I go on in reply to Justin’s comment, as I’m not beating up on him personally, the view he mentions on piracy as “Prove it’s a problem” for a relatively new platform like Windows Phone is dead wrong.
If as developers we pour part of our lives into creating apps for a smart phone platform, we are often choosing to do so over another. If there is a feeling that the creators of your chosen platform care little for the security of your intellectual property, that’s a pretty good reason to not bother with it. This is especially the case with Windows Phone where it is so easy to reverse engineer an app to retrieve the app’s IP.
Justin’s stance does nothing to support the developers choice for Windows Phone 7 or allay any fears of current developers on the platform.
If I can download my app’s XAP and open it as a zip file this is what I see:
if I then decompile one of these binaries this is what I see… real code (if you haven’t obfuscated your apps code):
namespace InTheKnow.PhoneApplication { public class MainViewModel : INotifyPropertyChanged { private PropertyChangedEventHandler PropertyChanged; public ObservableCollection<GoogleAnalyticsAccount> Accounts { get; private set; } public bool IsDataLoaded { get; set; } public bool IsFirstTimeLoad { get; set; } }
This means that anyone getting my app potentially has my IP – whether the numbers of piracy are high today or not, this is a problem.
What the bad guys keep on the down low
If you do a Google search looking for Windows Phone 7 pirating, you’ll soon come across a few Windows desktop apps floating around that make the act trivial. I will not name them or link to them, but I will walk you through using one of them to download my personally developed Google Analytics app InTheKnow.
I have downloaded an app I found that touts itself as being a one stop shop for Windows Phone 7 pirating. It downloads, removes security and side loads all in one.
I have blocked out any branding from the screenshot below to make it harder for budding pirates reading this post to find it, but you can see from its interface that when I search for my app that it offers a similar experience to that of the Zune Marketplace client (I can only assume it uses the same web service endpoints).
Once I’ve search for my app and found the version that I want, a simple double-click is all that is needed to download it.
I decided at this point to do a little digging to see what the creators of this app were doing that was magical enough to get around my perception of the security Microsoft would have put in place for the marketplace.
Taking a look at this user journey using Fiddler, I became quite concerned.
None of the traffic coming or going was over HTTPS, and none of it consisted of anything but plain vanilla Http GET calls.
The app queries the Zune store using a search URL, which in turn returns a GUID along with all the store details for an app.
It then queries another URL using the returned app GUID, which returns XML containing the download URL for the app’s package.
If you copy and paste this last raw URL into a freshly started web browser (i.e. no session, no special headers), this downloads without hesitation. It’s just a plain old URL – you could email it or share it just the same.
The XAP you download only has one protection to it – an XML file that contains a signing signature. Something that you can find an easy way around with the help of another Google search – hell, the marketplace piracy tool I was using to write this post even would patch this for you upon download! How convenient…! *sarcasm*
Again to reiterate, all of the simple things Microsoft could have done:
No authentication occurs.
SSL is not used.
No special headers or HTTP tricks are used.
And that was that. I now had the XAP file for my app, without paying. And as only a cursory Google search will tell you, XAP’s aren’t hard to get the contents of – they are just zip files.
But you have to put it on your phone still, right?
At this point regardless of the fact that I now have the binaries and resources for my app (i.e everything there is to my app), if I was to side load this app on my phone I’d still need to have a developer registered phone, so that’s a hurdle right?
Wrong – the application I was using kindly came with a XAP uploader as well that works with non-developer unlocked devices. Two more clicks and I was done.
This sucks! What do I do to protect my apps
So Microsoft might not have the answers yet to the piracy problem, but there are things you can do to attempt to minimise the damage.
Obfuscate your code
Microsoft has teamed up with PreEmptive Solutions to package the Community Edition of their code obfuscation tool “DotFuscator” with Visual Studio. Pre-emptive has also released a full blown Windows Phone Version that is also free and can be downloaded from here that includes support for Silverlight XAML obfuscation as well.
These tools obfuscate the code in your binaries, so that once the bad guys get your XAP file they will find it harder to understand any code they decompile – any resources such as videos or images will still remain free to copy or edit though so keep this in mind.
It is worth noting that some obfuscation tools often can and do slow your app down.
Example of your code before Obfuscation:
private void CalcPayroll(SpecialList employeeGroup) { while (employeeGroup.HasMore()) { var employee = employeeGroup.GetNext(true); employee.UpdateSalary(); DistributeCheck(employee); } }
Example of your code after using Dotfuscator:
private void a(a b) { while (b.a()) { a = b.a(true); a.a(); a(a); } }
My advice: Obfuscate every app you submit to the marketplace.
Code checks
Some developers are using code that looks for the presence of DRM files in the app’s directory and if missing, launches the marketplace to purchase.
public static bool IsHacked() { try { #if DEBUG return false; #endif //scramble WMAppPRHeader.xml file name to make life a little harder in case of reverse engineering string fl = "xxxWxxxxMxxxxAxxxxpxxxpxxxPxRxxxxxHxxxxxxxexxxxxxaxxxxdxxxxxxxxerxxxxx"; fl = fl.Replace("x", string.Empty) + ".xml"; XDocument doc = XDocument.Load(fl); //is hacked, this file is missing or empty!!! return false; } catch (Exception) { MessageBox.Show("This app was pirated and is not safe to use, please download the original one from Marketplace."); var marketplaceDetailTask = new MarketplaceDetailTask { ContentIdentifier = PhoneHelper.GetAppAttribute("ProductID").Replace("{", string.Empty). Replace("}", string.Empty).Trim(), ContentType = MarketplaceContentType.Applications }; //ProcutdID will be changed after AppHub certification, so has to be read from manifest! //download Coding4Fun toolkit for this helper marketplaceDetailTask.Show(); return true; } }
You could consider the implementation of these techniques, but be warned: This can be touch and go as you risk making your application non-functional if Microsoft changes their DRM functionality or something out of the ordinary happens in the legitimate deployment of your app.
Summary
We cannot stick our heads in the sand any longer – if you are a member of the Windows Phone 7 team and are reading this, please help me raise this with your team members. I love the platform and want it to continue, but as a developer I need assurances that these things will get attention – not take years to fix as they appear to have to date.
A web service similar to the one suggested here, would be a great active validation technique that should limit the amount of effort the WP7 team put into it.
If Microsoft wants developers to invest time and money in creating apps for their platform, they have to have a good story when it comes to Piracy – currently this doesn’t appear to be the case.