Security on the Brain Security is something we all know is important, but is it something that we always do? Most likely, not always. That’s partially because security is complex and takes time to implement. Many of you, these days, don’t have that time (it’s all about shortest time-to-market, right?) to think about security. You make sure that minimal security checks and balances are there, but that’s about it. Totally understand. But security doesn’t have to be complex to implement once you know what you have already available to you in the frameworks and products that you use every day. Over the course of the next few weeks, check back often as we’ll be demystifying different aspects of application security, simple things you can do to protect your applications, how to use the tools and frameworks you’re already using as your lines of defense against hacking, and more. Feel free to start or join discussions in the Canadian Developer Connection LinkedIn group to give and receive thoughts and feedback on these or any other topics from fellow Canadian developers and experts.
It would not be right of us to talk about how to build secure Windows Store apps and not do the same for Windows Phone apps. In this first of two guest posts, Mark Arteaga explores the security features that are built right into the Windows Phone platform.
Guest post by Mark Arteaga, Microsoft MVP
Application security for developers is a very large topic, but Windows Phone does make adding security to an app easier for developers and also to help keep an end users data safe. With an article recently published on Building Secure Windows Store Apps, pretty much all of those concepts can be used on Windows Phone 8. I thought it fitting to describe some of the security features available on Windows Phone that developers get for free and what is available to use within their apps.
Windows Phone 8 is based on the ARM version of Windows 8 so a lot of the security features available on the desktop come for free on the phone such as Trusted Boot and Code Signing. What are these for? Basically these features help protect the phone boot process and operating system from malware attacks (ie rootkits) by making sure only validated software components execute. The Trusted Boot technology validates Windows Phone firmware images and all boot components have digital signatures that are cryptographically validated. This helps ensure that only authorized code can execute to initialize the device and load the operating system, Windows Phone.
This helps protect the integrity of the phone and also the end user from potential malware.
As the Windows Phone platform is pretty well protected with Trusted Boot and Code Signing, there is still the opportunity for other forms of malware that could make its way to the end users phone that could potentially disclose or capture user’s data or even corporate data. There are a few things Microsoft does to prevent this which developers should be aware of.
The following is a list developers should know when developing for Windows Phone:
As developers, we work hard to create our software and want to make sure it’s protected when users start downloading it and using it. Once your app passes certification requirements, the app will be digitally signed on behalf of the developer and made available in the Windows Phone store.
To help protect a developers hard work, a valid license that is issued by the Windows Phone Store must be present on the users phone to be able to run. So if someone does figure out how to download the app and load it onto their phone, Windows Phone will not allow the app to run since the license is not available.
As a developer this is great as it helps curb someone pirating your app and since all XAP files are encrypted, it helps prevent a lot of casual snooping of your app code files but things to remember are:
Here are a list of resources used for this article which contain more information
This is not an exhaustive list of the security features available in Windows Phone 8, but this introduction and resources should get you started if you want to learn more about it.
In part 2 of this post, I’ll go over some of the APIs and techniques to help secure your apps and help your users feel safe when using your apps.
As always, if you have any specific questions or concerns about Windows Phone app security, how to implement any of these, or if you read something that you want to find more about, feel free to start a new discussion in the Canadian Developer Connection LinkedIn group. Mark, community experts, and your fellow Canadian developers are there to answer and share.
This post is cross-posted from Mark Arteaga’s blog.