Ideally, all Windows Phone 7 applications would come
from legitimate sources and behave like good citizens. However,
experience shows that many applications break those rules and that
safeguards must be put in place to prevent these kinds of behavior. On
the application security front, Windows Phone 7 platform includes the
safeguards to verify the identity of the author of the application and
sandboxes the execution of each mobile application. In the next few
sections, you will explore these safeguards in detail.
1. Windows Phone Marketplace
The early years of Windows
XP were not happy ones at Microsoft. The whole world was upset with the
company for allowing its operating system to be exploited by multiple
malicious programs. Even though Windows XP shipped with safeguards that
could prevent those exploits, their activation was left up to the user,
and that activation rarely happened. What Microsoft quickly learned from
that experience was that it must take a lot of responsibility to
protect its user base from both known and potential malicious attacks.
Because mobile devices
contain huge amounts of personal information and by their nature are
frequently lost or misplaced, application monitoring is all the more
necessary. For Microsoft to assume this responsibility for Windows Phone
7 applications, it must have as much control as possible over the
applications built and deployed onto its platform, while still
encouraging developer creativity as much as possible. To facilitate this
dual goal of being autocratic and democratic at the same time,
Microsoft has created a Windows Phone Marketplace. Windows Phone
Marketplace is the single online distribution point for all Windows
Phone 7 applications. The objectives of Windows Phone 7 Marketplace and
the way it achieves those objectives are described in the following
sections.
1.1. Non-repudiation: Proof of the Integrity and Origin of Data
The first objective of
Windows Phone Marketplace is to confirm the identity of an application's
author. In the Internet era, attempts to claim false identity are
extremely common—think about millions of e-mails processed daily that
claim to come from an online bank or an African prince. In a similar
fashion, without a centralized approval mechanism, any malicious Windows
Phone 7 application could claim to be genuine and capture the user's
personal information. In software security, the concept of non-repudiation
refers to the guarantee that the application indeed came from the
source it claims to have come from. On the Windows Phone 7 platform, the
origin and safety of applications are confirmed during the application
certification, a required step for all Windows Phone 7 applications.
During application certification, the developer submits her application
to the Windows Phone Marketplace and pays a fee, at which point
Microsoft runs a series of automated and manual tests to confirm
application safety and, to some extent, reliability.
Currently, no application
can be loaded onto the phone without going through Windows Phone
Marketplace. While there is a possibility that this policy will be
revisited in the future to allow enterprise customers to bypass Windows
Phone Marketplace, at the time of this writing it is only a possibility.
All Windows Phone 7 developers must sign up for the marketplace and
must provide legitimate proof of their identity to the marketplace
before any of the applications they create are available for
installation on users' phones. Once their identity is verified,
application developers receive a code-signing certificate.
This digital certificate
verifies that the application was created by the specified company or
individual, fulfilling the concept of non-repudiation mentioned
previously.
1.2. Intellectual Property Protection
Software piracy is a
huge problem affecting both giants of software development like
Microsoft as well as small one-person shops trying to building mobile
applications. To help safeguard from piracy, Microsoft requires that a
valid application license issued by the Windows Phone Marketplace be
present on the Windows Phone 7 device before it allows the execution of
an application. This means that even if somebody figures out how to load
an application onto the device without going through Windows Phone
Marketplace, the application will not run since the license key for that
application will not be available.
1.3. Safe Application Behavior
The Windows
Phone Marketplace application approval process includes a suite of
certification tests to prohibit risky applications from being loaded
onto users' phones. Risky applications may contain malware or viruses
themselves, or they may contain code constructs that could allow
malicious code execution.
All applications submitted
to Windows Phone Marketplace will be subject to malicious software
screening, which will attempt to confirm that applications are free from
viruses and malware. After successful completion of those tests,
additional tests are performed to confirm that an application is written
using only type-safe Microsoft Intermediate Language (MSIL) code.
Writing applications in MSIL avoids "public enemy #1," as software
buffer overruns were called in the book Writing Secure Code,
by Michael Howard and David LeBlanc. In addition, an application must
not implement any security-critical code, since Windows Phone
Application Platform does not allow an application to run
security-critical code.
To get a better idea of how the
Windows Phone Marketplace submission process helps improve the security
of a user's device, let's walk through the steps involved in submitting
an application to the marketplace.
2. Submitting an Application to Windows Phone Marketplace
In this walkthrough,
you will prepare a package for your application to submit to Windows
Phone Marketplace and learn about the steps involved in successfully
publishing an application to the marketplace, beginning with the
creation of anXAP file. Let's get started.
2.1. Generating an XAP Submission File
The submission
file that Windows Phone Marketplace requires is an XAPfile that gets
generated when the Windows Phone 7 application is built. An XAPfile is a
zip file containing all elements an application needs to run. To
generate an XAPfile, you must first build your application, as described
in the following steps.
Open your Windows Phone 7 application project inside Visual Studio Express for Windows Phone.
Set the Solution Configuration option to "Release" if it presently isn't, as shown in Figure 1.
In
Solution Explorer, right-click the name of the solution and select
"Build." At this point, if the build succeeds, Visual Studio creates the
ProjectName.xap file, where ProjectName is the name of your solution.
Locate the SolutionName.xap file you created in Step 3. Open Windows Explorer and navigate to the project's directory and the bin/Release/ folder. You should find there a file named ProjectName.xap. This is the file that you will upload to the marketplace.
The next step is to log in to Windows Phone Marketplace and submit the XAP file you just created.
2.2. Uploading the XAP File to Marketplace
Before uploading files to Windows Phone Marketplace, you must create Windows Phone Marketplace login credentials at http://developer.windowsphone.com/.
To do that, once you open the Marketplace web site, click the "Register
for the Marketplace" link and follow the step-by-step wizard to create
your username and password for the Marketplace. With login credentials
created, follow the following step-by-step guide to submit your
application to the marketplace.
When prompted, locate the XAP file that you created in the previous section (remember, it's in the bin/Release/ folder of the project's directory) and follow instructions to upload it to the Marketplace.
Enter a description for your application, select its category and upload an icon for it.
Next, choose the countries that you would like your application to be available in and set the pricing.
While
you are busy entering application details (description, category,
pricing), Marketplace is at work validating the XAP file. This is the
step that confirms that the XAP file is valid and can be passed on for
further testing of its reliability and security.
If basic XAP file validation fails, you will get a failure notification and will have to start the process over.
If
validation succeeds, you will be presented with a screen that lets you
make your application available to customers right away or wait until
you decide to publish.
The
automated process within Windows Phone Marketplace opens up the
submitted XAP file and updates the application manifest file (WMAppManifest.xml)
with a unique product identifier and which hub (for example, Media +
Video hub) this application belongs to. In addition, the header file
called WMAppPRHeader.xml is created, and
it will be used to protect digital rights to your application. Finally,
an additional update to the application manifest file listing all of the
security capabilities of an application is performed and the
application is repackaged into a new XAP file. This new XAP file is then
deployed to the actual Windows Phone 7 device at the Marketplace for
certification testing.
Certification
testing consists of both manual and automated verification that the
application complies with the rules set by Microsoft regarding content,
security, performance, and reliability of Windows Phone 7 applications.
If an application violates any of these provisions, it is not published
and you get a failure report with details of the problem-causing
behavior.
If the application
successfully passes certification tests, the XAP file is signed and
becomes available for installation from the Windows Phone Marketplace
according to the option you selected in Step 6.
NOTE
When you update your application, you will have to go through the same certification steps as the original application.
3. Sandboxed Execution and the Execution Manager
"Sandboxed Execution" refers
to the concept that each application runs in its own environment, or
sandbox, and that it has no access to applications running in different
sandboxes on the same device. Applications running on the same Windows
Phone 7 device are isolated from each other and must communicate with
services provided by the Windows Phone 7 platform by using a
well-defined standard mechanism. System files and resources are shielded
from user applications. To store and retrieve application and
configuration data, applications must use Isolated Storage, which is
designed to be protected from access by any application other than the
currently running one.
To further ensure
security and responsiveness of the Windows Phone 7 platform, Microsoft
has built in separate provisions to make it even more secure. These
provisions include the use of the Execution Manager, as well as granting
only the rights an application absolutely requires to function.
The Execution Manager
monitors application resource usage in accordance with certain defined
conventions. For instance, the Execution Manager may terminate an
application in the background if it deems that an application in the
foreground is not very responsive. Similarly, the Execution Manager may
dismiss an application if it makes an excessive number of requests for
phone resources.
The Windows Phone Application
Platform also tries to minimize the number of privileges granted to an
application. For instance, if an application does not require the use of
the location services library, Windows Phone will create a custom
execution environment for the application that does not include the
rights to that library. This way, the number of potential exploits
against the application is minimized.
