Friday, November 12, 2010

Biting the hand in the gift horse's mouth

I have been watching the growing “outrage” around the WP7 app reverse engineering controversy; outrage wrapped with an unmistakable implication that Microsoft has somehow dropped a ball and is trying to cover-up by recommending obfuscation to mitigate any risks.

I know that I have written that good developers should act like babies, but let’s take a reality check here.

First, let me say that reverse engineering managed code (and the risks that can stem from that) is not unique to .NET – it is common to all managed code platforms including Java (and Mono). For a solid overview on this topic, please see my 2009 article from the ISSA Journal: Assessing and Managing Security Risks Unique to Java and .NET (pdf).

The question is really how a WP7 developer’s experience compares to (for example) an Android developer’s (Google’s Android is Java and subject to all of the same issues and risks).

How many years has Android been out? Let’s compare Android's policy and recommendation to Microsoft's shall we? (click on image to enlarge)

Sources: Android policy and Windows Phone policy

This gets us to the real question that developers should be asking – how does Google’s ProGuard recommendation serve its developers as compared to Dotfuscator for Windows Phone? (again, click to enlarge)

Now call me crazy – but as far as I can tell, Microsoft has, in a few short weeks, served up a premier mobile development platform that is not only far more productive than any other, but includes dramatically superior monitoring, measurement, and protection technologies and services – this is not some defensive move to overcome some flaw or hole – it’s designed to further extend the unfair advantage Microsoft offers developers who target Windows Phone 7 first.

What am I missing here?

No comments: