Just a reminder for you folks out there: The new ProtectedData wrapper for DPAPI in WP 7 “Mango” Release won’t help you against guys who got phyisical access to your device.
It looks like ProtectedData uses the ProductID of the installed application as a key. The key will stay the same with updated versions of your application therefore you can just fake an application update and get access to even protected isolated storage content for free.
Please see attached VS2010 – WP7 “Mango” Release Sample file used as a Proof-Of-Concept. Steps for PoC:
- Deploy & Start AppA
- Click on “Write” Button, click on “Read” Button to make sure the current Time got written correctly
- Stopp AppA (don’t uninstall it!)
- Deploy & Start AppB (notice AppB replaced AppA in Windows Phone’s application launcher)
- Click on “Read”
- The shown data is the data written by AppA read from a completely different application.
And, yes, you have the possibility to add additional entropy but that does not solve the underlying problem. Entropy, as far as I understood it, will only help against clear-text or brute force attacks.
- Sample solution: DPAPI