Windows Phone Mango – Encrypt Data

Windows Phone 7 Mango has focused on the end consumer market. The phrase “Put people first” is something we have seen in all of Microsoft’s Windows Phone 7 Mango promotions. The market place is filling up with apps targeting the common user, so for most applications encryption has not been super important, although more and more enterprise apps and data sensitive apps are coming and protecting your data is key in many scenarios.

Saving data in a phone’s isolated storage is not secure, there is a tool that comes with the SDK that enables you to list, copy and replace files and directories in isolated storage. You can read about how to use the tool at MSDN. There is an excellent tool that allows the developers to do a lot more with their applications, like uninstalling developer XAPs, get detailed device information, browse the Isolated Storage, copy phones local SQL CE DB to your PC to extract and change data and so on, all this through a really nice UI. Get your hands on the Windows Phone Power Tools at CodePlex.

image

This article will go through the basics in how you encrypt/decrypt sensitive and confidential data such as username, password, PIN code etc. using the Data Protection API (DPAPI) to prevent anyone from accessing your data using tools like the isolated storage explorer.

DPAPI

Encrypting the data will not increase the security if the decryption key resides on the phone, no matter how well the key is hidden. DPAPI solves the problem of explicitly generating and storing a cryptographic key by using the user and phone credentials to encrypt and decrypt data.  This means that the only place where you can decrypt your encrypted data is on the phone itself !

ProtectedData class

You can use the ProtectedData class that provides you access to DPAPI through Protect and Unprotect methods. On a Windows Phone device, every application gets its own decryption key when the application executes for the first time. Calls to Protect and Unprotect methods will implicitly use the decryption key and make sure all data remains secure and private to the application.

Protect – Use this method to encrypt your data
Unprotect – Use this method to decrypt your data

I have created a CryptoUtils class that enables you to encrypt and decrypt strings to isolated storage.

 public static class CryptoUtil
    {
        /// <summary>
        /// Encrypt a string and store it in the phone's isolated storage
        /// </summary>
        /// <param name="value"></param>
        /// <param name="path"></param>
        public static void EncryptAndStore(string value, string path)
        {
            // Convert the string to a byte[].
            byte[] PinByte = Encoding.UTF8.GetBytes(value);

            // Encrypt the string by using the Protect() method.
            byte[] ProtectedBytes = ProtectedData.Protect(PinByte, null);

            // Store the encrypted string in isolated storage.
            CryptoUtil.WriteProtectedStringToFile(ProtectedBytes, path);

        }

        /// <summary>
        /// Decrypt a string that is stored in the phone's isolated storage in the provided path
        /// </summary>
        /// <param name="path"></param>
        /// <returns></returns>
        public static string DecryptString(string path)
        {
            using (IsolatedStorageFile file = IsolatedStorageFile.GetUserStoreForApplication())
            {
                if (!file.FileExists(path)) return string.Empty;
            }
            // Retrieve the string from isolated storage.
            byte[] ProtectedPinByte = CryptoUtil.ReadStringFromFile(path);

            // Decrypt the string by using the Unprotect method.
            byte[] PinByte = ProtectedData.Unprotect(ProtectedPinByte, null);

            // Convert the PIN from byte to string and display it in the text box.
            return Encoding.UTF8.GetString(PinByte, 0, PinByte.Length);
        }

        private static void WriteProtectedStringToFile(byte[] strinData, string path)
        {
            // Create a file in the application's isolated storage.
            using (IsolatedStorageFile file = IsolatedStorageFile.GetUserStoreForApplication())
            {
                IsolatedStorageFileStream writestream = new IsolatedStorageFileStream(path, System.IO.FileMode.Create, System.IO.FileAccess.Write, file);

                // Write stringData to the file.
                Stream writer = new StreamWriter(writestream).BaseStream;
                writer.Write(strinData, 0, strinData.Length);
                writer.Close();
                writestream.Close();
            }
        }

        private static byte[] ReadStringFromFile(string path)
        {
            // Access the file in the application's isolated storage.
            using (IsolatedStorageFile file = IsolatedStorageFile.GetUserStoreForApplication())
            {
                IsolatedStorageFileStream readstream = new IsolatedStorageFileStream(path, System.IO.FileMode.Open, FileAccess.Read, file);

                // Read the PIN from the file.
                Stream reader = new StreamReader(readstream).BaseStream;
                byte[] pinArray = new byte[reader.Length];

                reader.Read(pinArray, 0, pinArray.Length);
                reader.Close();
                readstream.Close();

                return pinArray;
            }
        }
    }

Conclusions

It is really easy to use DPAPI with Protect and Unprotect methods and if you create a CryptoUtils class that can be easily used in all of your applications there is no excuses not to do it :)

Note: If you want to encrypt large amount of data and the data is stored in the local database on the phone, then encrypting the entire database is a better options. See my next post about encypting Local DB.

Happy Coding!!

About these ads
    • steve
    • March 28th, 2012

    I read in the Microsoft Sercuity Best Practices for Developer os WP7 that the application may not clear the MSIT security standards if you use the Data Protection API to encrypt passwords. It said that in the 3rd quarter of 2012 an update would be realeased on this. Do you know if this has been setteled or not? I would like to use this feature and just store my passwords so the users do not need to type them in every time, but cannot do so if MSIT does not approve the application because of this.

    Thanks.

    • Hi Steve

      Yes you can use the data protection API and still pass the certification for marketplace submission.

      We have people here at my company that has done that several times.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 30 other followers

%d bloggers like this: