MX Apps Security and Devs’ Income Jeopardy

image

Since today is turning out to be a Plea day to Microsoft, I might as well add the following points that Devs have raised to me, and the points I could really understand looking from Devs perspective.

MX Apps (Metro Apps if you live in the past) have great promise for Microsoft and End-Users alike. They are highly portable, highly manageable and secured; if we could believe Microsoft on their promise for WinRT environment of Windows 8. Apps can be built with next to nothing experience, even script-kiddies are now top-notch coders on Windows 8. Its all fine and dandy till bread and butter comes into question. If you are a hobby developer, you wouldn’t mind what MS does with your code the moment you submit it to the Store, all you care about is to see your App published, hopefully featured in the Windows Store.

But when your app is your bread, and preferably your butter too, you do seriously mind what MS does with your code in the Store and on Users devices. MX Apps are scripted Apps, they are managed Apps, you either code in Javascript or in .NET both of which are translated Apps. This means there’s a file of yours somewhere with readable code for everyone who has the will and the intent. Here you are slaving away at a particular difficult routine in your app. You need to implement that killer feature that will differentiate your app as professional Dev, ergo, this is the source of your income! It took you two days to do the plumbing and debugging of this difficult routine, now it is part of your code for your app, submitted to the Store, and globally readable.

Of course you’ll feel cheated. Anyone who find your app awesome and wants to know how you carried out that impossible feat can now dive into your code and read how you did it, gone is your professional advantage. This will be an awesome scene in about 50 years when we don’t work for money anymore, the era of Star Trek has broken upon us where everyone works just for the pleasure of it. There is no hunger anymore, need has been banished by the Federation. This will probably remain in the realm of my dreams and many of you.

But for now, you need to pay your bills, but how could you if people could easily pilfer your code and earn money with it while you go hungry. So this brings me to my point. Microsoft, we know you protect MX Apps with Encryption from hackers and the likes, and that you can’t just copy and run apps on other machines, but what’s with people readable code. Why aren’t you protecting Devs labour? Why not encrypt Devs’ codes and files before publication so that only the system can unencrypt it at runtime? Why does my files have be readable to all? If you think I am joking read this from a concerned dev:

Hi McAkins,

I just want to explain, the security problem in Windows 8 store app, that can lead to another security problem:

First of all, when we install windows 8 store app, it will reside on %ProgramFiles%\WindowsApps folder, although the folder is hidden

by default, but through ‘folder options’ we can show the folder, and we access it after we take ‘ownership’  of the folder (we don’t need special tool to take ownership of the folder, only through windows explorer we can take ownership), after that, the problem begin;

1. All the application that we installed, user can take all the assets we use in our app. (Images, Sound, Video, and other assets). because we can access all the windows 8 store app application folder, for JS app we can see the code clearly if we not minified that code first before published to the store.(like skype app, I attach the source code I take from my laptop,).

2. Let say we develop windows 8 store app using JS, and use Windows Azure mobile service to push the notification to the user, or even worse if we have storage or other cloude services, the ‘client secret’ to access our Windows Azure service, can be seen by the people or malware, and then they can abuse our cloud servce / windows azure services.

3. Another problem if we develop using C#, we can decompile it also using .NET reflector or other related app. (but this is the nature of .net app either Desktop App or Windows 8 Store app).

Thanks

<Concerned Dev>

And here is the Skype Source Code he was talking about:

skype source code

How about that?! Even MS own Software is not protected! But then they can afford to loose a dollar or two to a script kiddie.

So there you have it, if you write in JS, you’re screwed as professional Dev. You are basically plumbing for other people. Period. This is not acceptable and should be mitigated Microsoft. The only way to guarantee App privacy right now is to hide your code in C++  dlls with JS as frontend, or to a lesser degree to code in .NET, at least it takes a bit of effort to get to the decompiled code. So here we are MS with another plea. Please either obfuscate publish codes or encrypt all JS and .NET files. That’s the only way Devs can resign from their day job and take up coding full time if they are guaranteed income source in the future. Do it now! Yes you can!

Thanks all for your attention.

– McAkins

About these ads

2 thoughts on “MX Apps Security and Devs’ Income Jeopardy”

  1. Hi thanks McAkins for the great article!,

    This is true, but I have seen this problem since it was on Developer Preview, I thought MS will have solution when windows 8 released (RTM) about this matter, But it is still the same, so what I do now, I always have 2 version of code, one is the non-minified and the other is the minifed. When I want to publish to the store, I change the reference to minified, and exclude the non-minified from the published package. :) I look forward if you guys have a better solution for this.

    1. Great catch. Thanks for sharing. Hopefully any of you Devs care to share how you mitigate pilferation of your code?

Comments are closed.