An idea for curbing WP7 piracy

Since it has been made painfully obvious that Windows Phone 7 application piracy is possible, at least for developer unlocked devices, it's about time I outlined a fairly simple idea I had a couple of months back about curbing such piracy for a significant subset of the WP7 apps out there.

First, the tl;dr version is as follows: Microsoft should provide an API to get (or verify) app purchasers' anonymized Live IDs and/or Device Unique IDs.

Now, the explanation. Whenever a user purchases an app via the Marketplace, they must do so through their Live ID. Because their Live ID is associated to the app purchase, there should be a one-to-one relationship between a single app purchase and a Live ID. Assuming that the anonymized Live IDs (ANIDs) that are already available to app developers can be determined/calculated by Microsoft's services in the cloud, then all Microsoft has to do is expose an API that lets app developers check whether the current user's ANID is associated with a verified purchase.

The reason I said earlier that this would apply to a subset of apps and not all of them is that such a validity check should only be performed server-side -- otherwise, an app that performs it locally can easily be cracked to NOP (ignore) the code performing this check. Because of this, only apps that rely on a cloud service would gain a significant benefit from doing ANID validity checking. And the reason I used the term "significant" is that Microsoft has already been pushing for more cloud functionality within apps, so the encouragement is already there to some extent.

Finally, if ANIDs cannot be calculated by Microsoft outside of the phone, then the same idea would still apply to Device Unique IDs. Since a check is already being done to ensure that an app is not installed on more than five (I believe) devices associated with a single Live ID, Microsoft has to already be storing all active Device IDs per Live ID. Exposing an API to check for the validity of a Device ID based on its parent Live ID would provide the same benefit.

comments powered by Disqus