WP Devs: You May Want to Lock Down Your XAPs [updated]
|I just surveyed the Windows Phone piracy scene to see if developers of paid apps were doing an effective job staving off piracy yet — they’re not. Especially now that Microsoft has signed off on sideloading, particularly for those trying to make a living out of developing, also for those who care more as a point of pride, this may be worth addressing further.
The communities and gangs of pirates are very clever, determined and prolific, and sadly Windows Phone is no exception to what they target. I looked up several paid WP apps published somewhat recently and found apparently cracked versions circulating for all of them, including two security-related apps. All cracked apps’ versions were up to date, matching the latest release the respective vendors reported as being the most recent release. Needless to say, zero improvement over when I did this several months ago. I’d like to find a popular app that hasn’t been cracked to ask the developer how he did it but I can’t.
Having gotten the point, I switched gears to looking up ways for developers to mitigate the threat. I say mitigate because, apparently, none of these mechanisms are bulletproof, and depending on the angle you take to fight theft, the more aggressive you are, the greater a nuisance you create for your paying customers. That’s true with everything. In Microsoft’s Windows Phone Marketplace Anti-Piracy Model, while noting that code obfuscation and all other techniques are not perfect, Microsoft advises that you use Dotfuscator which, though third party, is sanctioned by Microsoft.
There are a few versions of the software. Dotfuscator Community Edition comes with Visual Studio, but judging by it being standard issue and the abundance of cracked apps as well as the feature comparison between it and its expensive cousin, it’s ineffective. If you want the price of the Professional version, you’ll have to request a quote but the numbers I’m finding of what people reported as having been quoted are in the neighborhood of $1500, but who knows. As for request-a-quote pricing sounding like a whole lot of dough for phone app piracy mitigation, in making any “investments in leak prevention systems” Microsoft advises you to conduct your own cost-benefit analysis. Sigh.
Go here for a feature comparison of the free and costly version and also to ask them for a quote. Basically, the free version, which you may already have if you’ve got VS, makes some effort to confound decompilers, whereas the other one tries even harder and offers interesting features outnumbering the free version by four to one like doing whatever you specify upon tamper detection as well as watermarking to track down the pirates. They claim it doesn’t increase your program’s size or slow things down. Yet it seems they failed to keep an apparently cracked version of their own anti-piracy software from being pirated. I believe that’s called irony – or a booby trap.
There are free tools out there for which I found recommendations, also general guidelines including “don’t bother,” but I’ve seen no evidence that anything works and as these other tools are not sanctioned by Microsoft and as I am neither a developer nor a Windows Phone guy myself, not my place to name them, but if you are deep in the scene and you can offer your fellow brothers advice, hook each other up in this thread. Names, links, tips, whatever you got. What would be particularly valuable is if any of you have a relatively popular app for which you used some tool to protect and so far have had success, or failure for that matter. Feel free to direct comments at Microsoft as they read MobilityDigest regularly.
The material out there is pretty dated and with Mango rolling out let’s freshen up the information. That Microsoft advisory for example is almost a year old. Thanks fellas, sorry to bum you out and good luck with your work.
Doug Simmons
Update: Leon Zandman clarified that the Dotfuscator of interest to you by PreEmptive Solutions is Dotfuscator Windows Phone Edition and gave a link to Brandon Watson’s announcement that Microsoft is providing PreEmptive’s Runtime Analytics to Windows Phone on the house indefinitely, the original announcement for which indicates that both sets of software, while not the professional version, are free. Leon moves on to note that Microsoft should take on the responsibility of securing various holes in the Marketplace with greater zeal. Leon also underscores that this software is indeed sanctioned by Microsoft and not from some lone-wolf ragtag operation. Right on Leon, thanks.
To be fair, the piracy scene for Windows Phone is nothing compared to piracy on Android.
Starting with Mango, XAPs are encrypted, which helps quite a bit with the whole anti-piracy thing 😉
Doug,
You completely fail to mention that Microsoft and PreEmptive offer a FREE license for Dotfuscator Windows Phone Edition. So there should be no reason to not obfuscate your code.
Leon: I spent at least one paragraph explaining that Microsoft gives you the Community Edition bundled with Visual Studio and that there is another version which does a lot more that they, unless this is news I missed, don’t pay for, and apparently costs a lot, and given apparent lack of uncracked paid apps that I saw, whatever is the standard issue, along presumably with other common techniques (or combined), ain’t getting the job done.
Arktronic: All that seems to do is present an enticing challenge to a collection of people who like to crack such things it seems in exchange for bragging rights. I was hoping to drum up more tools and resources.
Silhouette: To be even fairer, this article and thread could be used as a resource for WP developers, which is the tone I was kind of going for, not a debate over which platform is less inviting to pirates somehow. But, point taken, so I suppose I ought to point out that piracy exists on every platform I’ve tooled around with, including over things like non-free proprietary plugins for otherwise free Linux administration utilities, and of course Android. I didn’t try to do the math but I imagine if I had I would find that not only is there more piracy on Android than on Windows Phone, there is disproportionately more piracy on Android. But this website has a disproportionately large WP audience.
This is an “ask the readers” bit. I’m asking you for help to produce information for developers who are interested in keeping their XAPs from being cracked and showing up on the piracy scene as the existing and commonly used methods are apparently quite ineffective. Or maybe the answer is just not to focus on piracy and let it get to you, just make your app and sell the thing, don’t drop a few grand or whatever on some Professional version of something that might not even work, or maybe use this in conjunction with that on top of the other thing.
@Doug Simmons: Yes, Microsoft has been bundling a Community Edition of Dotfuscator with Visual Studio for ages. And yes, it IS a limited version, with some pro features not available in that edition. But that’s for normal .NET development.
From your article’s title I gather your article is aimed at Windows Phone developers. And it looks like you totally missed the fact that Microsoft partnered with PreEmptive to offer developers a special version of Dotfuscator, called Dotfuscator Windows Phone Edition!
Members of the Windows Phone Developer program (App Hub) can get that special Windows Phone Edition of Dotfuscator, which is a full featured product that isn’t limited in any way (well, except for the fact that you can only use it to obfuscate Windows Phone apps and not normal .NET apps).
And that’s not all. You also get free access to the PreEmptive Runtime Intelligence for Windows Phone service, which enables you to monitor and analyze your Windows Phone apps. These are some powerfull tools and are, again, totally free (and have been for nearly a year).
Here are some links you may find interesting:
http://www.preemptive.com/windowsphone7.html
http://windowsteamblog.com/windows_phone/b/wpdev/archive/2011/05/09/analytics-show-developers-want-more-preemptive.aspx
So, I hope you now understand that Microsoft offers pretty good tools for Windows Phone developers to protect and monitor their apps. That doesn’t mean they shouldn’t fix the current Marketplace holes. But developers are able to protect their IP using these tools.
Technically speaking, obfuscation does not in any way affect XAP piracy. The only thing it prevents (well, mitigates) is people decompiling the binaries to get the original source code. XAP piracy does not rely on decompilation of that code, and so obfuscation doesn’t matter in that case.
Now we’re talking, Leon. Thanks, I updated the article with your information.
@Arktronic: Yes, you are right. But it does help to protect intellectual property.
I find it very strange that Microsoft left such large holes in the Marketplace. Microsoft has indeed added XAP encryption. It was already present in the NoDo release. But since many people hadn’t even updated to NoDo, they couldn’t activate it. And even when activated it looks like there are still ways to remove this protection.
We use this code and WORKS (no connection required, does not impact certification) !!!!
Tried with all mayor crack tools too 🙂
http://windowsphonegeek.com/tips/PROTECT-YOUR-Windows-Phone-APP-AGAINST–casual–PIRACY#