Obfuscation for WP7

Posted: December 29, 2010 in Development, Windows Phone 7

Microsoft released in November 2010, a Windows Mobile Marketplace Anti-Piracy Model white paper .This describes which methods were applied and ultimately be against WP7 prepared to be among about piracy. If you read between the lines, however, more accurately, there remains in effect, that all measures were taken which also cost effective as well. This does, conversely, that security only to a certain level is necessary and loopholes exist apparently can. So what can you do about yourself in order to protect other hand, its application?


Without wishing to delve into the technical details and do the “piracy” to support here, just the theoretical foundation is created that is attached to the follow.

Suppose it would be possible to obtain the certified installation files from the Market Place, without the need to buy if necessary. While installing even the signature is verified, but it also assumed here these would be overcome. In theory, you could then copy applications and free install.

This in itself is bad. Worse, however, that the source code of your application almost free building supplies.

Take, for demonstrating that super cool “Hello World” sample. The user interface is very appealing:


The associated Sourceode is kept super slim:


Like any other application for WP7 also has this application installed in the form of a XAP file. This is nothing other than a ZIP archive containing all the related files, including how to execute the assembly.

In the debug folder of the project can be found, therefore these files:


Suppose you had bad intentions and wanted to see how the application works as an interest such as the authentication mechanisms and other functions of an application that perhaps should not be made publicly available in order not to compromise its own systems.

Each assembly can be provided that is not protected, with the . NET Reflector to inspect more closely.This is what our assembly of the killer application of the Reflector.


Would be not only our “Hello World” mentioned but really important and valuable source code, one would want this information in a short time on screen, what is most likely not desired.

(For background, why this is possible with assemblies, we recommend this article )


How can you prevent the counter but is not it?

Can not completely prevent it. One can only drive the cost of this in the air. We can print as much driving up, that the effort “decode” to this information is so high that it is no longer worthwhile. It is possible, but still.

For this purpose, applied the so-called “obfuscation”, or “concealment”. This method name be obliterated, and strings quasi encrypted. The same source code looks obfuscated, like this:


We see here that the method name was obscured and the string, as well as the method call are not as recognizable.

(For more on the background of an obfuscation, it is here )

In order to achieve their own application obfuscation, you need a program. Currently, provides theDotfuscator by PreEmptive Solutions , as these can be used free of charge 31.03.2011 up yet. If the name sounds familiar: A Community Edition was part of the Visual Studio installation to version 2008.


With the Dotfuscator can conceal their own assembly and increase the effort to “decode”.

However, there are still a few points to note before you weigh in security:

  • A veiled Assembly needs a little more performance is not disguised as one.
  • Important strings, and functions should still be moved to a server if possible. Even if the effort should be high in an assembly to “decode” it is safer not at first to offer this attack.

Special Note for the Author

I would like to thank the Author “Peter Nowak” of this article for giving me the permissions to translate it from German. The whole purpose for this translation was to just to make the readers comfortable who don’t know the German Language. I really appreciate the effort being done by Peter Nowak for this article and wish him best of luck for his upcoming articles and efforts.

Source: Translated From German to English Using Google Translator

  1. LogicNP says:

    Crypto Obfuscator (http://www.ssware.com) is another obfuscator which supports Silverlight – it can directly obfuscate your xap files and huge plus is that it supports class/method renaming within your XAMLs as well!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s