I’m just wondering how the HTML5/JavaScript Metro applications will be packaged and protected against reversal.

For packaging I’ll expect some sort of signed zip/jar (no mention about .appx on MSDN) but for protection, outside of heavy obfuscation for JavaScript I can’t envision any other way (maybe a new prepiled/binary format ?)

If the protection is not good, writing HTML5/JavaScript apps will not flourish too much IMHO.

I’m just wondering how the HTML5/JavaScript Metro applications will be packaged and protected against reversal.

For packaging I’ll expect some sort of signed zip/jar (no mention about .appx on MSDN) but for protection, outside of heavy obfuscation for JavaScript I can’t envision any other way (maybe a new prepiled/binary format ?)

If the protection is not good, writing HTML5/JavaScript apps will not flourish too much IMHO.

• javascript
• html
• windows-8
• microsoft-metro
• windows-runtime

Share Improve this question Follow edited Feb 28, 2012 at 16:12 Kate Gregory 19k88 gold badges5959 silver badges8686 bronze badges asked Sep 16, 2011 at 9:44 devstonezdevstonez 9311 silver badge55 bronze badges

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 6

Instead of just crypto-obfuscation, another option is to implement the proprietary algorithms/logic inside of a 3rd party WinRT ponent. This way, you can have assurance that your proprietary algorithm is protected by virtue of being piled. Granted if you choose to implement in .NET there is some ability by someone to reverse engineer it.

The idea is to write your client in JS/HTML5, presumably this would be somewhat straightforward in which you don't have a huge amount of proprietary info. Then you go write your WinRT ponent in C#/C++ which contains your proprietary "Sausage Manufacturing Process." You call into this WinRT ponent to create some "Sausage" with some data input. This approach means your secret recipe for Sausage is safe while still affording you the simplicity of the platform.

Is that a palatable solution?

i wondered the same thing and i agree that crypto-obfuscation is going to be key, certainly in the early days of protecting metro style apps.

apparently all code is going to be thoroughly reviewed on MS's side before it is offered for download, even obfuscated code, using code-scanning tools. i guess how well this works remains to be seen. i'm sure there'll be hiccups and security issues in the earlier days.

there's a fairly prehensive guide to security here, which mentions 'guard rails' etc. which sound quite interesting.

http://www.microsoft./download/en/details.aspx?id=27408

rob ganly