Download!Download Point responsive WP Theme for FREE!

WP Devs: You May Want to Lock Down Your XAPs [updated]

I just surveyed the Windows Phone piracy scene to see if developers of paid apps were doing an effective job staving off piracy yet — they’re not. Especially now that Microsoft has signed off on sideloading, particularly for those trying to make a living out of developing, also for those who care more as a point of pride, this may be worth addressing further.

The communities and gangs of pirates are very clever, determined and prolific, and sadly Windows Phone is no exception to what they target. I looked up several paid WP apps published somewhat recently and found apparently cracked versions circulating for all of them, including two security-related apps. All cracked apps’ versions were up to date, matching the latest release the respective vendors reported as being the most recent release. Needless to say, zero improvement over when I did this several months ago. I’d like to find a popular app that hasn’t been cracked to ask the developer how he did it but I can’t.

Having gotten the point, I switched gears to looking up ways for developers to mitigate the threat. I say mitigate because, apparently, none of these mechanisms are bulletproof, and depending on the angle you take to fight theft, the more aggressive you are, the greater a nuisance you create for your paying customers. That’s true with everything. In Microsoft’s Windows Phone Marketplace Anti-Piracy Model, while noting that code obfuscation and all other techniques are not perfect, Microsoft advises that you use Dotfuscator which, though third party, is sanctioned by Microsoft.

There are a few versions of the software. Dotfuscator Community Edition comes with Visual Studio, but judging by it being standard issue and the abundance of cracked apps as well as the feature comparison between it and its expensive cousin, it’s ineffective. If you want the price of the Professional version, you’ll have to request a quote but the numbers I’m finding of what people reported as having been quoted are in the neighborhood of $1500, but who knows. As for request-a-quote pricing sounding like a whole lot of dough for phone app piracy mitigation, in making any “investments in leak prevention systems” Microsoft advises you to conduct your own cost-benefit analysis. Sigh.

Go here for a feature comparison of the free and costly version and also to ask them for a quote. Basically, the free version, which you may already have if you’ve got VS, makes some effort to confound decompilers, whereas the other one tries even harder and offers interesting features outnumbering the free version by four to one like doing whatever you specify upon tamper detection as well as watermarking to track down the pirates. They claim it doesn’t increase your program’s size or slow things down. Yet it seems they failed to keep an apparently cracked version of their own anti-piracy software from being pirated. I believe that’s called irony – or a booby trap.

There are free tools out there for which I found recommendations, also general guidelines including “don’t bother,” but I’ve seen no evidence that anything works and as these other tools are not sanctioned by Microsoft and as I am neither a developer nor a Windows Phone guy myself, not my place to name them, but if you are deep in the scene and you can offer your fellow brothers advice, hook each other up in this thread. Names, links, tips, whatever you got. What would be particularly valuable is if any of you have a relatively popular app for which you used some tool to protect and so far have had success, or failure for that matter. Feel free to direct comments at Microsoft as they read MobilityDigest regularly.

The material out there is pretty dated and with Mango rolling out let’s freshen up the information. That Microsoft advisory for example is almost a year old. Thanks fellas, sorry to bum you out and good luck with your work.

Doug Simmons

Update: Leon Zandman clarified that the Dotfuscator of interest to you by PreEmptive Solutions is Dotfuscator Windows Phone Edition and gave a link to Brandon Watson’s announcement that Microsoft is providing PreEmptive’s Runtime Analytics to Windows Phone on the house indefinitely, the original announcement for which indicates that both sets of software, while not the professional version, are free. Leon moves on to note that Microsoft should take on the responsibility of securing various holes in the Marketplace with greater zeal. Leon also underscores that this software is indeed sanctioned by Microsoft and not from some lone-wolf ragtag operation. Right on Leon, thanks.

9 Comments