ChevronWP7: Community Enabler or Jailbreaking Tool?

ChevronWP7: Community Enabler or Jailbreaking Tool?

There has been a lot of debate regarding the recently released ChevronWP7 tool by Rafael Rivera, Chris Walshand Long Zheng. The debate focuses around the intent of this tool – some say that it amounts to a tool that can be used to jailbreak a windows phone 7, others (including the authors) insist this is just enabling functionality that is already available with any windows phone 7 device.

Personally I am somewhere in the middle – I don’t see this as a jailbreaking tool since it doesn’t permit any access to the inner workings of the device, it just allows applications to be sideloaded. On the flip side, I don’t agree with the argument that they are just enabling functionality that ships with the device – if that was the case then Microsoft would publish a similar tool and not require the registration with marketplace. Sorry boys, Microsoft sets the rules, if you don’t like them then I’d suggest running a muck with Android or Windows Mobile….

With that said, I do like one of the intents behind the tool, which is to simply discover more about the inner workings of Windows Phone 7. But again, if this was truly one of the objectives, then why did they decide to obfuscate the code…..

Code Obfuscation and Windows Phone 7 Application Protection

Code Obfuscation and Windows Phone 7 Application Protection

Today most developers registered with the Windows Phone 7 developer program would have received an email entitled Windows Phone 7 App Protection that talks about how to protect the intellectual property within your Windows Phone 7 application. In actual fact it talks very little about this and more about how applications can’t be side loaded (which we all knew anyhow). To draw a quote from the email:

“As a Windows Phone developer you can be assured that Windows Phone Marketplace is operating as designed in providing a level of protection that is in-line with industry practices and sufficient for our own valued content. You can learn about our protection model in the Windows Phone Marketplace Anti-Piracy Model white paper, which outlines our perspective on leak prevention and leak containment. “

To be honest if by “industry practices” you mean that they’re going to publish your application so that it is readily available for anyone interested to download via a web browser, decompress and view using reflector, then we live in a wow-ful industry indeed. In the white paper they acknowledge that Windows Phone 7 applications are not encrypted in any way on the CDN – this makes it a 20 second job to locate, download and open any application posted on marketplace.

They go on about how it’s not possible for someone to re-publish or side-load an application they have downloaded from marketplace. To me the obvious elephant in the room is the fact that anyone can download your application and view your IP.  This is a sad state of affairs and I for one hope that Microsoft have this well and truly on their radars for the first upgrade to Windows Phone 7.

Points to note:

– Don’t assume Microsoft will protect your intellectual property. You’re handing over your application for them to certify, which means your handing over valuable IP for a third party to review. In my mind that’s a BAD, BAD, BAD thing (irrespective of whether it’s available to everyone else).

==> Resolution – Store any valuable IP behind a service. This means that you can protect and/or change it as required

– Don’t include application keys/tokens in your application – Windows Phone 7: Where to store that application key? NOT in the Application(need I repeat this again?)

==> Resolution – Store app keys/tokens behind a service. Whilst not a perfect solution, it does make it slightly harder

– Accessing xaps off marketplace can be done using a proxy (such as fiddler) when you download an app to your phone via zune. I won’t give away too much other than you need to look at the xml file that is retrieved which discloses the direct download url for the xap.

==> Resolution – This information is posted here to put Microsoft on notice: this level of application protection is unacceptable. As a minimum I’d expect some form of encryption of xaps on the wire and something like one time download urls for the xaps. Don’t steal other people’s applications or IP – just because you can, doesn’t make it legal!

Hardware v’s Software

Hardware v’s Software

I just entered the Qantas club here in Brisbane on the way home from a fantastic weekend of Windows Phone 7 development with all the attendees of the Bizspark camp. I noticed that they’ve replaced all the computers in the lounge with Macs. After my initial cringe, I took a closer look and almost laughed out loud – they’re all running Windows 7. This seriously raises the question: who’s making the best hardware and who’s making the best software (ie the OS).

What’s more interesting is if you look at not only the desktop but also the phone space I think that Apple definitely excels in creating visually appealing and powerful hardware. Unfortunately the simpleton nature of their iOS operating system and the frustrating MacOS interface leaves a lot to be desired. It appears that Microsoft might be ahead in the desktop OS war at the moment and it’s anyone’s race in the mobile space at the moment. Perhaps we’ll see Windows Phone 7 running on an iphone soon….. oh wait, that wouldn’t work since the iphone is the only phone on the market with only one front facing button (good on Apple for insisting that users really only want a single button – just like the mouse on the desktop. As I said, it’s a simpleton design).

Windows Phone 7: Where to store that application key? NOT in the Application

Windows Phone 7: Where to store that application key? NOT in the Application

Building Windows Phone 7 applications using Visual Studio 2010 and Expression Blend is so much easier than building for any other mobile platform it’s easy to get lulled into a false sense of security. For example to use the Bing Maps control you need to go and register in order to receive an application key that you use in order to remove the warning message that appears in the middle of the maps control. It’s simple to just add this directly into the application via Blend and walk away – job done. Wrong!

Let’s think about the implications of this. What you’ve done is enter an application key into your application, which is going to be distributed via marketplace to any number of devices. This application key identifies your application and permits you access to Bing Maps (which is free for WP7 applications). Now what happens if one of those devices is owned by a malicious user who has completed at least half a computer science degree. It’s highly possible that they can extract the contents of your application, retrieve the plain text key (that’s right, even if you obfuscate your code, chances are this application key is still going to be visible in plain text) and use it in his own applications. Now your account with Bing Maps is getting completely slammed and Microsoft come knocking on your door asking for money!

So, what did you do wrong? You followed the Microsoft samples blindly. You added a secret application key into an application where ALL the code is easily readable (there are countless threads on how to protect your IP within managed application, and by far one of the safest is to put sensitive code in native code but of course you can’t do that with WP7 applications).

So, what can you do to fix it? Well it’s simple really….. don’t put the application key into the application in the first place. Right, but then how can we use for example the Bing maps control? Ok, so this is the crux of the problem, there is no bulletproof way to do this given the application key model. The best you can do is to place the application key behind a service and then either request it each time the application needs it (no caching) or request it the first time and cache it. Not ideal but at least it adds a layer of indirection to wanna-be-hackers.

Pet Peeve: How to break the back button experience in Windows Phone 7

Pet Peeve: How to break the back button experience in Windows Phone 7

Over the past couple of weeks I’ve been downloading a number of the new Windows Phone 7 applications and one of the things that has come to annoy me is when developers think that they can outsmart the user. Microsoft has gone to great pains to include a dedicated hardware back button on all Windows Phone 7 devices. It has a very clear function which is to return the user to the previous experience. Within an application this typical means going back to the previous page or closing a modal style dialog/prompt. At the beginning of an application this means allowing the application to close, revealing the previous application (or the Start) the user was in.

Of course, there always have to be the one or two super-smart developers out there that thing that the user might accidentally hit the back button. We don’t want the user to leave our application, in fact the more time we can get them to spend in the application the better, so let’s include a prompt confirming that the user does indeed want to exit the application. WRONG, FAIL, GO BACK, DON’T DO THIS.

As a user if I press the back button I want to go back. If I didn’t mean to leave the application I’ll launch the application again. If the application is any good this shouldn’t be an lengthy process, so even if the user accidentally pressed the back button, they will acknowledge that they made a mistake and so there is no foul. Getting in the way of what the user has explicitly instructed (ie by pressing the back button) the application to do is bad.

There is one exception to this rule: if there is unsaved data, you may want to prompt the user to either save, discard or cancel the operation. To be honest, even this should be avoided – there is no harm in temporarily saving what they were working on and having it available the next time they run the application.

Promoting your Windows Phone 7 application

Promoting your Windows Phone 7 application

So you’ve got your Windows Phone 7 application certified and it’s available for download via marketplace. You think you’re done? No, you’ve just started. With more applications appearing in the marketplace all the time it’s important that you continue to promote and advertise your application. To do this Microsoft have come out with a series of buttons that you can use to promote application downloads directly from the website.

Here is a sample of the various sized buttons in blue. There are versions of the button in English, French, German, Italian and Spanish and in blue, red and green. Download for Windows Phone 7 Button


Don’t forget to read the included readme and policy documents that come in the download. Also, for the format of the download link, check out the MSDN Documentation on How to: Link to Windows Phone Marketplace Content

Brisbane: Windows Phone 7 Start Up Camp

Brisbane: Windows Phone 7 Start Up Camp

Brisbane: 13th-14th November

Now you have the skills – it’s time to use them to Build an app! The weekend workshop is all about you building something that you’d like to take to market. You can work by yourself or in teams; Microsoft’s Evangelists Dave Glover, Catherine Eibner and myself, plus a handful of local technical experts will be there to help you! At the end of the weekend, present your work to the judging panel of experts & investors to receive feedback & prizes.


To attend you must: Have AT LEAST 1 developer in your team that has attended the Skills Ramp Up Pre day or who already has experience in developing Applications for Phone 7. Be a member of Microsoft BizSpark (You will be asked to provide your BizSpark ID in your registration).

The Startup Camp is being held at Microsoft Brisbane Office.

  • Brisbane: 13th-14th November
  • Theatre 2 | Level 9, Waterfront Place 1 Eagle Street Brisbane QLD 4000 | Map
  • Register Now >