Having covered the security assessment of Windows Phone applications in some detail, this chapter discusses important coding practices for writing secure apps in the first place. Where appropriate, we’ve given code examples for use in apps that generally need to be “secure.”

General Security Design Considerations

You should consider several points when designing and analyzing the security of an app. These can be summarized as follows:

• Entry point analysis—What are the various ways, such as Interprocess Communications (IPC) endpoints (file handlers, protocol handlers), web communications, and downloading and parsing files, an attacker could push data into your app?
• Data validation—Does your app validate data before using it in potentially dangerous ways, or does it simply trust it? Try to make as few assumptions about data integrity and safety as possible.
• Data storage and handling—Does your app handle sensitive data? Does it store it? Sensitive data should not be stored in the clear, but should instead be encrypted using a sensible crypto algorithm choice, secure key generation, and cryptographic APIs.

Considering these general questions should make analyzing your app’s security and identifying areas that may require attention or further analysis easier to do.

Storing and Encrypting Data Securely

When applications deal with sensitive data and need to store it for later use (or transmit it across a network), storing this ...