Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Phone

Windows Phone 7 Development : Understanding Application Security

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
6/11/2011 5:02:17 PM
Ideally, all Windows Phone 7 applications would come from legitimate sources and behave like good citizens. However, experience shows that many applications break those rules and that safeguards must be put in place to prevent these kinds of behavior. On the application security front, Windows Phone 7 platform includes the safeguards to verify the identity of the author of the application and sandboxes the execution of each mobile application. In the next few sections, you will explore these safeguards in detail.

1. Windows Phone Marketplace

The early years of Windows XP were not happy ones at Microsoft. The whole world was upset with the company for allowing its operating system to be exploited by multiple malicious programs. Even though Windows XP shipped with safeguards that could prevent those exploits, their activation was left up to the user, and that activation rarely happened. What Microsoft quickly learned from that experience was that it must take a lot of responsibility to protect its user base from both known and potential malicious attacks.

Because mobile devices contain huge amounts of personal information and by their nature are frequently lost or misplaced, application monitoring is all the more necessary. For Microsoft to assume this responsibility for Windows Phone 7 applications, it must have as much control as possible over the applications built and deployed onto its platform, while still encouraging developer creativity as much as possible. To facilitate this dual goal of being autocratic and democratic at the same time, Microsoft has created a Windows Phone Marketplace. Windows Phone Marketplace is the single online distribution point for all Windows Phone 7 applications. The objectives of Windows Phone 7 Marketplace and the way it achieves those objectives are described in the following sections.

1.1. Non-repudiation: Proof of the Integrity and Origin of Data

The first objective of Windows Phone Marketplace is to confirm the identity of an application's author. In the Internet era, attempts to claim false identity are extremely common—think about millions of e-mails processed daily that claim to come from an online bank or an African prince. In a similar fashion, without a centralized approval mechanism, any malicious Windows Phone 7 application could claim to be genuine and capture the user's personal information. In software security, the concept of non-repudiation refers to the guarantee that the application indeed came from the source it claims to have come from. On the Windows Phone 7 platform, the origin and safety of applications are confirmed during the application certification, a required step for all Windows Phone 7 applications. During application certification, the developer submits her application to the Windows Phone Marketplace and pays a fee, at which point Microsoft runs a series of automated and manual tests to confirm application safety and, to some extent, reliability.

Currently, no application can be loaded onto the phone without going through Windows Phone Marketplace. While there is a possibility that this policy will be revisited in the future to allow enterprise customers to bypass Windows Phone Marketplace, at the time of this writing it is only a possibility. All Windows Phone 7 developers must sign up for the marketplace and must provide legitimate proof of their identity to the marketplace before any of the applications they create are available for installation on users' phones. Once their identity is verified, application developers receive a code-signing certificate.

This digital certificate verifies that the application was created by the specified company or individual, fulfilling the concept of non-repudiation mentioned previously.

1.2. Intellectual Property Protection

Software piracy is a huge problem affecting both giants of software development like Microsoft as well as small one-person shops trying to building mobile applications. To help safeguard from piracy, Microsoft requires that a valid application license issued by the Windows Phone Marketplace be present on the Windows Phone 7 device before it allows the execution of an application. This means that even if somebody figures out how to load an application onto the device without going through Windows Phone Marketplace, the application will not run since the license key for that application will not be available.

1.3. Safe Application Behavior

The Windows Phone Marketplace application approval process includes a suite of certification tests to prohibit risky applications from being loaded onto users' phones. Risky applications may contain malware or viruses themselves, or they may contain code constructs that could allow malicious code execution.

All applications submitted to Windows Phone Marketplace will be subject to malicious software screening, which will attempt to confirm that applications are free from viruses and malware. After successful completion of those tests, additional tests are performed to confirm that an application is written using only type-safe Microsoft Intermediate Language (MSIL) code. Writing applications in MSIL avoids "public enemy #1," as software buffer overruns were called in the book Writing Secure Code, by Michael Howard and David LeBlanc. In addition, an application must not implement any security-critical code, since Windows Phone Application Platform does not allow an application to run security-critical code.

To get a better idea of how the Windows Phone Marketplace submission process helps improve the security of a user's device, let's walk through the steps involved in submitting an application to the marketplace.

2. Submitting an Application to Windows Phone Marketplace

In this walkthrough, you will prepare a package for your application to submit to Windows Phone Marketplace and learn about the steps involved in successfully publishing an application to the marketplace, beginning with the creation of anXAP file. Let's get started.

2.1. Generating an XAP Submission File

The submission file that Windows Phone Marketplace requires is an XAPfile that gets generated when the Windows Phone 7 application is built. An XAPfile is a zip file containing all elements an application needs to run. To generate an XAPfile, you must first build your application, as described in the following steps.

  1. Open your Windows Phone 7 application project inside Visual Studio Express for Windows Phone.

  2. Set the Solution Configuration option to "Release" if it presently isn't, as shown in Figure 1.

  3. In Solution Explorer, right-click the name of the solution and select "Build." At this point, if the build succeeds, Visual Studio creates the ProjectName.xap file, where ProjectName is the name of your solution.

  4. Locate the SolutionName.xap file you created in Step 3. Open Windows Explorer and navigate to the project's directory and the bin/Release/ folder. You should find there a file named ProjectName.xap. This is the file that you will upload to the marketplace.

The next step is to log in to Windows Phone Marketplace and submit the XAP file you just created.

2.2. Uploading the XAP File to Marketplace

Before uploading files to Windows Phone Marketplace, you must create Windows Phone Marketplace login credentials at http://developer.windowsphone.com/. To do that, once you open the Marketplace web site, click the "Register for the Marketplace" link and follow the step-by-step wizard to create your username and password for the Marketplace. With login credentials created, follow the following step-by-step guide to submit your application to the marketplace.

  1. Login to Windows Phone Marketplace (http://developer.windowsphone.com/) and create a new application submission.

  2. When prompted, locate the XAP file that you created in the previous section (remember, it's in the bin/Release/ folder of the project's directory) and follow instructions to upload it to the Marketplace.

  3. Enter a description for your application, select its category and upload an icon for it.

  4. Next, choose the countries that you would like your application to be available in and set the pricing.

  5. While you are busy entering application details (description, category, pricing), Marketplace is at work validating the XAP file. This is the step that confirms that the XAP file is valid and can be passed on for further testing of its reliability and security.

    • If basic XAP file validation fails, you will get a failure notification and will have to start the process over.

    • If validation succeeds, you will be presented with a screen that lets you make your application available to customers right away or wait until you decide to publish.

  6. The automated process within Windows Phone Marketplace opens up the submitted XAP file and updates the application manifest file (WMAppManifest.xml) with a unique product identifier and which hub (for example, Media + Video hub) this application belongs to. In addition, the header file called WMAppPRHeader.xml is created, and it will be used to protect digital rights to your application. Finally, an additional update to the application manifest file listing all of the security capabilities of an application is performed and the application is repackaged into a new XAP file. This new XAP file is then deployed to the actual Windows Phone 7 device at the Marketplace for certification testing.

Figure 1. Before deploying your application, make sure to set Solution Configuration to Release.

Certification testing consists of both manual and automated verification that the application complies with the rules set by Microsoft regarding content, security, performance, and reliability of Windows Phone 7 applications. If an application violates any of these provisions, it is not published and you get a failure report with details of the problem-causing behavior.

If the application successfully passes certification tests, the XAP file is signed and becomes available for installation from the Windows Phone Marketplace according to the option you selected in Step 6.


When you update your application, you will have to go through the same certification steps as the original application.

3. Sandboxed Execution and the Execution Manager

"Sandboxed Execution" refers to the concept that each application runs in its own environment, or sandbox, and that it has no access to applications running in different sandboxes on the same device. Applications running on the same Windows Phone 7 device are isolated from each other and must communicate with services provided by the Windows Phone 7 platform by using a well-defined standard mechanism. System files and resources are shielded from user applications. To store and retrieve application and configuration data, applications must use Isolated Storage, which is designed to be protected from access by any application other than the currently running one.

To further ensure security and responsiveness of the Windows Phone 7 platform, Microsoft has built in separate provisions to make it even more secure. These provisions include the use of the Execution Manager, as well as granting only the rights an application absolutely requires to function.

The Execution Manager monitors application resource usage in accordance with certain defined conventions. For instance, the Execution Manager may terminate an application in the background if it deems that an application in the foreground is not very responsive. Similarly, the Execution Manager may dismiss an application if it makes an excessive number of requests for phone resources.

The Windows Phone Application Platform also tries to minimize the number of privileges granted to an application. For instance, if an application does not require the use of the location services library, Windows Phone will create a custom execution environment for the application that does not include the rights to that library. This way, the number of potential exploits against the application is minimized.

Other -----------------
- Developing for Windows Phone and Xbox Live : Device States (part 2) - DepthStencilState
- Developing for Windows Phone and Xbox Live : Device States (part 1) - BlendState
- Developing for Windows Phone and Xbox Live : Using SkinnedEffect
- Developing for Windows Phone and Xbox Live : Using AlphaTestEffect & Using EnvironmentMapEffect
- Developing for Windows Phone and Xbox Live : Using the Effect Interfaces & Using DualTextureEffect
- Developing for Windows Phone and Xbox Live : Using BasicEffect (part 2) - Textures, Vertex Colors, and Fog
- Developing for Windows Phone and Xbox Live : Using BasicEffect (part 1) - Basic Lighting
- Developing for Windows Phone and Xbox Live : Camera Types & Models
- Developing for Windows Phone and Xbox Live : Projection Matrix
- Developing for Windows Phone and Xbox Live : View Matrix
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Windows Vista
Windows 7
Windows Azure
Windows Server