Server-side Marketplace encryption coming soon to prevent app piracy

In an interesting article at Ars Technica, they discuss the brief history of Chevron WP7, homebrew and piracy with regards to Windows Phone 7. Most of it is par for our readers, with nothing to substantial as far as history.

But there was a real interesting section regarding piracy, encryption and what Microsoft is doing to prevent theft of developers' software:

"Those piracy concerns are still an issue. It's possible to download application packages from Microsoft's servers and install them onto a developer unlocked phone without actually buying them.

That will change. Windows Phone 7.5 "Mango" includes support for a new kind of encrypted package that should rule out this kind of piracy. Microsoft is waiting to ensure that a high enough proportion of users have upgraded to Mango before throwing the switch and using these encrypted packages, however."

This is the first we heard of any XAP encryption that would seemingly prevent users from sideloading illegally downloaded XAPs from Microsoft's servers (something we first demonstrated back in December). The idea is certainly a welcome one and from that detail about Microsoft waiting to throw the switch, this seems to be all on their-end.  That means devs won't have to do anything different in their XAP preparation and submission to the Marketplace.

Of course devs could presumably still release their XAPs directly e.g. for the homebrew community without encryption, much like they do now. But for companies like Nokia, who may be a tad irritated that their Music and Maps apps have been ripped, this could be very welcome news.

Source: Ars Technica


Reader comments

Server-side Marketplace encryption coming soon to prevent app piracy


Fantastic news !! My apps were cracked and distributed on asian websites only two/three days after the pubblication...It is not clear by this article if the new DRM encryption is currently active for 7.1 (mango) Apps or will be a future upgrade (I think Nokia Drive/maps, Kinectimals, ecc were compiled with 7.1 SDK, but were cracked too..)

I guess my question is, when would the app be validated on the server side? Let's say you "crack" a free exclusive app, i.e. Nokia Drive. When would the Nokia Drive xap look for the server side encryption? It can't do it every time the app is opened on the phone, that would lead to huge data charges. I don't think it can do it at the time of download, because wouldn't hackers just need to spoof their device id and send it to enable downloading?This will be a very interesting back & forth between MS and pirates.

Developers worked very hard on their apps and it only makes sense that Microsoft protects that apps, efforts and revenue. Microsoft should activate this encryption as soon as possible! As long as there are no downsides to the normal users.

I'm not sure why Microsoft is waiting till enough users are on Mango before using eXaps. If Mango phones support it and eXaps are only enabled for Mango apps, they should've enabled it by now. Waiting won't make a difference. (although I'm sure it'll be cracked in a matter of weeks or months, but it's better than nothing)

Server-side encryption is not that easy to hack.If only Mango phones support it, that means that NoDo phones wont be able to install apps anymore.

NoDo phones can't download Mango apps, so it won't affect them if they only encrypted Mango apps. NoDo phones will still be able to download the unencrypted Xaps as they've always been...

Hopefully it will be cracked swiftly.As someone who has yet to decide on a smartphone ecosystem, I can safely say that there is not a chance whatsoever that I'll buy a phone system which (effectively) prohibits piracy. Call me what you like but I'm just telling you the truth. WP7 has a ton of stuff stacked against it from an enduser point of view. It doesn't need another.

Your someone freely profiting of other people's efforts trying to make some money out of their hard work. You're just a free loader, and of course? Who is stopping you? Nobody... yet know that what you're doing is disgusting, repulsive, arrogant and egoistic. Which are traits that won't bring you far in this world. Or maybe they will, but you should be ashamed... So, now I've called you what I'd like :)

@battleangel...so is it safe to say that Android is the ecosystem for you? At the end of the day, people invest their time, and their money, to bring apps and services to end users; if developers want to offer those to end users for 'free', then so be it. But if not, to hack a paid service or app is stealing. That you, and probably some others, don't respect that, is sad.

I recently had my app, GIFStudio, pirated...I am in a tough position where over half of my users are pirates and I am providing hosting for the animated gifs created with my app...the more pirates the more it costs me. It's not alot, but it is adding up.I am very excited about marketplace encryption.

Hooray! This is one of the things that really worried me about this platform... especially when I found out they will soon be offering unlocks for $9 or whatever it is.To battleangel:I appreciate that you worded your argument reasonably and didn't resort to all sorts of name calling and strange spellings as is usually the case with pirates.However, why would MS care if the incredibly small percent of users that would take this ridiculous stance decide to pass on WP and go with Android? MS will get your $ anyway for the phone, and as a future user you are pretty much worthless to them... in fact, it really is in their best interests as the percentage of pirates on Android goes up and the percentage on WP goes down, which will drive more devs to the WP platform. Good news all around that you and your ilk may lose interest. While I (and MS) hate to drive anyone away from the platform, in this case there is no downside.

As long as this does not impact the legitimate homebrew community, then it's a great idea and sooner is better.And Microsoft already checks which apps are on your devices,(ie. developer accounts expire and side-loaded apps are locked out on previously registered devices) so once this encryption is turned on, they will either remove the app from your device without asking or lock it out. It's probably hidden somewhere in their EULA.

I thought all Mango apps would already be encrypted so it's surprising to hear they haven't been. I'm glad I've been doing other things and only have a few beta users at present. I obfuscated portions of the code because it took a long time to get it right. And that is my main worry. However, I don't want to put any apps in the MarketPlace without being assured they won't be pirated.

As far as I am concerned it's not coming soon enough, I need this kind of application like the breathing air. I found some solutions on www.Trendmicro.com but when it comes to security you can never take too many measures.