Editors’ Comments UPDATED:
Some of the press out there seems to be trying to use my article (the one below) as something to point to that suggests Windows Phone 7 is not secure. This in my opinion may be an attempt to slow Windows Phone 7 sales, which are to say in the least incredible.. (Quoting an old commercial “what’s in your wallet”.. or who in this case.. Hint: the usual anti-Microsoft crowd). I’d also like to thank some of the press who read my blog that alerted me to the fact that this is going on by email. I wasn’t paying attention to all of this because it is the Thanksgiving holiday..
As I point out in the article below security is always a relative thing. The actual reality of this is that Windows Phone 7 (as a platform) is very secure. The mechanisms it provides in place (not relating to code obfuscation that I am speaking of below) makes code and software as secure as it does on any other phone platform out there. Let’s remember that the Apple iPhone coined the term “Jailbreak” and similar software is said to exist out there on Android phones.
So before people start massive hysteria on a jailbreak type product for Windows Phone 7 here called “Chevron WP7” remember that we have all been here before on Android and Apple phones and that many more people still use them than the installed base of Windows Phone 7 users out there (as of this writing).
Ask yourself, how many times do you get a security update on Windows Update or Apple Software Update or other platforms out there on your PC or Macs ? Phones being computers get updates too. Microsoft has a facility to download new updates right in Windows Phone 7 that works with inside of your Zune Sync software for the phone that can “re-flash” your phone with later updates as Microsoft deems necessary. I used this on a prototype phone during the beta and it worked very very well.
On ChevrontWP7:
Quoting Rafael Rivera, Chris Walsh, Long Zheng
“ … All Marketplace application XAP packages are sufficiently protected so that you cannot sideload to run them on any unlocked device (official or with our tool). We have no intentions or knowledge to break that protection.
(You can still run legitimately purchased and downloaded applications after unlocking)..”
My own clarification for the press on Windows Phone 7 Security
I am very secure in the fact that Windows Phone 7 is very safe platform, and will continue to be so. I use a Windows Phone 7 myself. If I didn't feel the relative safety in place with it, I wouldn't own it or use myself... If you look at Microsoft's long history you will see that they have done a great job and continue to do a great job of taking care of any plugs in security and I am not security expert today by any means... This issue on code obfuscation has existed for years in all versions of .Net about code obfuscation. It isn't code obfuscation that keeps people from hacking. The other infrastructure that Microsoft provides as part of the interfacing to the phone does. I won’t go into detail on anything I’d know or not know here as I wouldn’t want it to be any less secure. Disclosure: I have my own very vested interest in seeing this platform (Windows Phone 7) succeed. I have several apps in development myself.
My Original Article:
Code Obfuscation on Windows Phone 7
I think code obfuscation on any version of .NET may be less secure than native code (this includes all versions of Windows) (scrambling the code bits), doesn't stop tools like reflector or a person familiar enough with CLI/CLR code.. I am not Microsoft but I know from personal experience they have a lot of safeguards in place. I can't mention what I think may be those safeguards because it would make it less safe..
I am just saying that I believe Code Obfuscation doesn't work personally and I would never waste my time using it or buying a tool to do so (if the tool just did that).
We all know that CLR/CLI code works the same way on all .net platforms… PreEmptive Solutions is now offering a solution that Microsoft also seems to be promoting on their blogs.. We all know that managed code security is always a relative thing as well..
This company is offering what they call a commercial grade obfuscator..
It offers the following advantages over other obfuscators including:
- patented renaming
- control flow
- string encryption
- metadata removal
- obfuscation transforms
EDITOR’s Opinion: It’s maybe it’s best in class but I still don’t believe in obfuscators being really helpful because I am not worrying about scrambling your own code, I am concerned about Microsoft’s. Because the approach I’d take is look at the order and the code routines from my code that calls Microsoft code. If you are smart enough to do this and track the calls to Microsoft code you are probably smart enough to recode an entire Windows Phone 7 app in the first place..
For those who think I am off my rocker here…
Check out these articles and get back with me..
“Rewrite MSIL Code on the Fly with the .NET Framework Profiling API”
http://msdn.microsoft.com/en-us/magazine/cc188743.aspx
MSIL Tutorial
http://www.codeguru.com/csharp/.net/net_general/il/article.php/c4635/
Softalizer’s Spices Decompiler
http://ilcode.softalizer.com/
MSIL Decompiler Theory
http://www.codeproject.com/KB/msil/msil-decompiler.aspx
I am far from saying Windows Phone is insecure, in fact it’s just the opposite. I just don’t think an obfuscator is really going to stop anyone who has a clue about IL Code and CLR/CLI de-compilation.. It’s a why bother for me..