Protecting your Windows Store app code from hackers
Published: 13 January 2013
Do you know that it is easy to hack paid apps' code from the Windows Store?
There are security vulnerabilities on windows 8 XAML-based metro style applications. Distinctly, the problems are fundamental design flaws that allow reveal compiled code of Win8 applications, modification of deployed apps and the negative implications on intellectual property rights protection.
There are a lot of freeware .NET tools called .NET assembly browsers that allow pirates to hack Win Store app's code.For example, Refractor - .NET decompiler and assembly browser allows pirates to reverse-engineer paid app's code. Then it is relatively easy to compile the source code by using .NET framework. Sure, for this case scenario a hacker won't need to pay for the app registration.
How to protect your Windows Store app?
You cannot be totally sure that nobody has access to your code in case you are going to publish the app on Windows Store. It is always possible use IL Disassembler (ILDAsm.exe) that is distributed by Microsoft (http://msdn.microsoft.com/en-us/library/f7dy01k1(VS.80).aspx).
Obfuscating is rather popular area for creating new products that Win Store apps are (like http://www.rustemsoft.com/Skater.asp which is much cheaper than any others but seems being also solid with a lot of offered protection layers). The problem is only in the preventing of decompilation into the high-level source programming language with appropriate names of objects and also with the appropriate structures of the classes within the source code files. It is the intention of obfuscation software.
Skater .NET obfuscator
There is how your Widows Store app App1.exe will look like in Skater .NET obfuscator interface when it opened for obfuscation below:
Skater .NET obfuscator offers several obfuscation techniques. Main of them listed below.
Public and Local members names obfuscation
It shakes up names of variables, classes, methods, and other Windows Store app's members. It makes assembly code reverse engineering much harder by renaming the app entities. Some Skater settings allow generate names that are preventing a disassembled code recompilation.
Encryption of String values
String encryption function allows you to select literal values of string data type to be encrypted. Since Strings can provide useful clues for anyone trying to reverse engineer assembly's code it makes sense to hide your string data from hackers.
Control Flow obfuscation designed to prevent decompilers and deobfuscators from functioning correctly. Control Flow obfuscation inhibits reverse engineering by scrambling .NET methods code into a "spaghetti-code". The Control Flow obfuscation algorithms reorder and misrepresent the CIL code in the metro style application, inserting distorted code commands while preserving code semantics.
Skater .NET Obfuscator is fully integrated with Visual Studio 2012 and .NET Framework 4.5. Skater easily protects XAML-based metro style applications that are also known as "Windows Store apps".