Massive Windows Phone 7 XAP Breach

As a bit of a background, Windows Phone uses XAPs to deploy its applications. For those of us who used Windows Mobile, think of this as a cab. In simpler terms – it’s a zip file that’s been renamed. If you have a valid XAP file on a developer unlocked phone then you would be able to install and load the app/game. This morning a website was launched that contains a lot of XAP files on it and even a search feature to find the XAP of choice. We can verify that those are in fact legitimate XAP files for the most part. They are not properly signed so a person with a developer unlocked phone will not be able to simply deploy it (see the screenshot for the error) but simply renaming the file to zip let’s you spill its guts out. From there a developer can easily discover the original source code. That is unless the developer has taken measures to obfuscate the code.

The goal of Windows Phone was to lock down the devices. But even in the most open of markets, theft (of either the app or the code) has to been prevented. It’s unclear how the XAPs were obtained but we do know that Microsoft is aware of the site and the ramifications. To the devs out there, make sure you take steps to protect your code. To Microsoft, you have a problem you need to solve asap before it becomes a real issue.

Again, for now this won’t mean much to a lot of you. To the developers who care about their code this is a big deal and that has a trickledown effect.

FYI we will not be linking the site with the XAP files and urge others to not share it as well since nothing positive can come out of it. MS is aware of this and posting the site is merely assisting those who plan to use the file contained there.