Friday, November 19, 2010

300: Survey results from Runtime Intelligence for Windows Phone first movers


I have been pouring over a just completed survey that targeted the first 300 developers who downloaded the new Runtime Intelligence for Windows Phone SKU (RI4WP) and I have to say that I am extremely jazzed by the results.

First, we had a 20% response rate which shows right away how engaged these developers already are with the software. I am not going to go into the entire survey here, but I do want to share a few nuggets.

Developers were 3 times more likely to want both analytics and protection versus wanting either one as a standalone function. This is great to see because it says 2 things; first that when you care about what you build – you will want to BOTH know how it’s doing in the wild AND protect your work; second, is shows that developers are getting how efficient it is when you can integrate and combine post-build functions into a single build step (even when those functions appear otherwise to be distinct).

9 out of 10 developers indicated that RI4WP materially improved their overall development experience – now, you might say that this is biased because we only surveyed developers who had downloaded our software – but every developer had been using our software for at least one week – most for the first time – and so there was no guarantee whatsoever that we would be getting such positive marks so soon after installation.

It was not all love and rainbows – we asked developers to share both what they were most excited about and what their greatest concerns were – and the developers certainly did not hold back.

We saw a lot of enthusiasm for analytics but also some genuine frustration that can only be attributed to a legitimate need for better training and/or support and/or product maturity. For those of you that gave us feedback, rest assured: we are working hard to further simplify, harden, and expand this exciting technology – and be sure to register for our upcoming Master Classes on 12/8 and 12/9.

I will end with a small sampling of the survey write-in comments (unedited).

I (respondent) am most excited because:
“The detailed feature reporting (and the ease at which it can be implemented) is extremely useful for gaining insight into how an application is used in the wild. Early results for my current marketplace application have been surprising - enough so that I will be added more detailed telemetry reporting to my next application.”
“I will have more insight into application usage trends”
“I can actually see how people are using the app”
“It gives me insight into what is happening with my apps and which ones are more popular so I can focus my efforts there”
“I am figuring out how my users use my app in the real world. Incredibly valuable.”
“Dotfuscator's obfuscation is better than any other product on the market today.”

Tuesday, November 16, 2010

You can’t see me, I’m obfuscating (on Windows Phone)

Recent communications from Microsoft have resulted in a wave of interest (to put it mildly) in obfuscation. Obfuscation is not new; nor are most of the questions, concerns, and critiques that have started flying around the WP7 dev community – but some are (because there are some unique aspects to the wp7 environment).

I have included some resources and comments here – but also, please stay tuned as PreEmptive will be pushing out a collection of resources on this subject specifically targeting Windows Phone.

Quick resources available now:

Online Support: PreEmptive Solutions has two dedicated support forums for Windows Phone 7 developers. Like any forum, you can peruse it, post questions, and get/give answers. PreEmptive support is actively monitoring and contributing.

Obfuscation for Dotfuscator Windows Phone Edition

Instrumentation for Dotfuscator Windows Phone Edition

ISSA Journal: Assessing and Managing Security Risks Unique to Java and .NET (pdf). Tries to answer the questions “when and why should I worry?” and “then what can I do about it?” Specifically, this article “enumerates specific risks unique to managed code (.NET and Java), offers guidance on assessing organizational materiality of these risks, and lists broadly recognized risk mitigation technologies and practices.”

WP7 FAQ (short blog form)

Q: Why do I have to obfuscate my Windows Phone application? Has Microsoft dropped the ball?

Answer: You don’t have to – but if you want to prevent easy reverse engineering of your application, then you should. Managed code has always been easy to reverse engineer (see ISSA Article listed above), and WP7 is no better or worse. In fact, it may be helpful to compare Android’s policy and recommendations on obfuscation – see my earlier post on this for a detailed comparison.

Q: I just obfuscated my application and it’s broken! Is this a bug? Why can’t it just work like encryption?

Answer: Obfuscation is fundamentally different than encryption in that MEANING MATTERS.

Encryption is only half of the equation – the other half is DECRYPTION. Encryption algorithms do not need to preserve the meaning of content because the content will be DECRYPTED. Meaning is wiped out in the output (that is the intent of course) and a reconstituted at decryption time (that also means that encryption cannot be lossy).

Obfuscation is the entire equation – there is no “de-obfuscation” – in fact, that is its intent. Meaning must be preserved in the final output. When your program has tricky reflection, includes mixed-mode DLLs, incorporates 3rd party libraries, etc. – all of that must be accounted for. Some of this can be divined through static analysis – but some idioms/semantics cannot.

Q: I just want to keep Reflector from showing source code. Is that so hard?

Answer: That is actually easy. Turn-off renaming and turn-on “control flow.” The ISSA article defines these transforms, but the short answer is that renaming confuses humans and control flow confuses programs. Renaming is almost always the culprit when it comes to “breaking apps.”

Q: Where can I get the WP7-specific SKUs of Dotfuscator and Runtime Intelligence?

Answer: go to http://www.preemptive.com/windowsphone7.html On the right-hand side of the screen under “Get Started Now”, click on Contact Us Here and fill in the request form. BE SURE TO WRITE WP7 IN THE COMMENTS SECTION.

Q: Where can I go to learn about the latest resources to help me obfuscate my app?

Answer: Go to http://www.preemptive.com/windowsphone7.html - we will update this page regularly. Also, follow us on Twitter - @PreEmptive

Friday, November 12, 2010

Biting the hand in the gift horse's mouth

I have been watching the growing “outrage” around the WP7 app reverse engineering controversy; outrage wrapped with an unmistakable implication that Microsoft has somehow dropped a ball and is trying to cover-up by recommending obfuscation to mitigate any risks.

I know that I have written that good developers should act like babies, but let’s take a reality check here.

First, let me say that reverse engineering managed code (and the risks that can stem from that) is not unique to .NET – it is common to all managed code platforms including Java (and Mono). For a solid overview on this topic, please see my 2009 article from the ISSA Journal: Assessing and Managing Security Risks Unique to Java and .NET (pdf).

The question is really how a WP7 developer’s experience compares to (for example) an Android developer’s (Google’s Android is Java and subject to all of the same issues and risks).

How many years has Android been out? Let’s compare Android's policy and recommendation to Microsoft's shall we? (click on image to enlarge)


Sources: Android policy and Windows Phone policy

This gets us to the real question that developers should be asking – how does Google’s ProGuard recommendation serve its developers as compared to Dotfuscator for Windows Phone? (again, click to enlarge)


Now call me crazy – but as far as I can tell, Microsoft has, in a few short weeks, served up a premier mobile development platform that is not only far more productive than any other, but includes dramatically superior monitoring, measurement, and protection technologies and services – this is not some defensive move to overcome some flaw or hole – it’s designed to further extend the unfair advantage Microsoft offers developers who target Windows Phone 7 first.

What am I missing here?

A phone by any other ‘nym is just as slick

(…or, are smartphones also people too?)

One of my favorite words is retronym. A retronym is a new name for an existing (old) thing that becomes necessary because of progress. (what!?) Examples help – the term “acoustic guitar” was only necessary when electric guitars hit the scene. The term black and white TV was not born with the invention of TV – it was born with the invention of color TV.

But we don’t have color phones, we have SMARTphones!

And here is the twist – a smartphone is more than a new class of phone, its also an anthropomorphism (ascribing human attributes to a thing that is not human). Phones can't really be smart – people are smart (at least in theory).

As I've already written in some of my more verbose entries below, smartphones are important because they combine the best of computing, communication, content, and social forces – to become something entirely new.

And as one more piece of supporting evidence that the smartphone hype is real – not only do smartphones promise to disrupt markets, business operations, and social norms ... they have given us our very first anthropomorphic retronym – the dumbphone.

I didn't make this up – see Dumbphone. Its the first of its kind - and i think that's worth noting.

Can you hear me now?