All Windows Phone 7 applications undergo a security analysis when uploaded to the Windows Phone Marketplace. The analyzer checks to see what services your app requires and verifies that you have requested those services in the Application Manifest.
Windows Phone provides a capabilities-driven security model where a user must opt-in to certain functionality within the application. For certain scenarios, Windows Phone APIs invoked by applications may require specific security permissions or user disclosure when run. By default, when you create a Windows Phone project, an application manifest file is auto-generated that includes a list of the all the phone capabilities supported by Windows Phone. The Windows Phone operating system will grant security permissions to the application according to the capabilities listed in that manifest file
The Phone SDK includes the Windows Phone Capability Detection Tool to help determine which capabilities to include in the manifest before submitting your application to Microsoft.
Be wary of third party DLLs
Adding references to other DLLs can increase your security footprint. Any access requested in your referenced assemblies is considered part of your application capabilities too. I’ve been working with the AdControl in the Microsoft.advertising.Mobile.UI.dll for a upcoming project. I noticed that it adds the following capabilities to the required list.
- ID_CAP_PHONEDIALER
- ID_CAP_NETWORKING
- ID_CAP_WEBBROWSERCOMPONENT
- ID_CAP_IDENTITY_USER
