Windows Phone Security Vulnerabilities and Language Overview

Click here to learn how Checkmarx can secure your Windows Phone applications

What is Windows Phone?

Initially released in November 2008 as Windows Mobile, Windows Phone began as a Windows Mobile update which was codenamed “Photon.” As an operating system, Windows Phone is not backwards compatible due to the time limitations that the team faced during development.

In 2015, Windows Phone was replaced by Windows 10 Mobile which boasted a unified unified application ecosystem, and an expansion of its scope to include small-screened tablets.

Larry Lieberman, senior product manager for Microsoft’s Mobile Developer Experience, told eWeek: “If we’d had more time and resources, we may have been able to do something in terms of backward compatibility.”

Currently, Microsoft is seeking to unify their applications which means that many developers are remaking their applications as Universal Windows apps as the ROI on maintaining a stand-alone Windows Phone app is too little.


This is done through App Bridges. Microsoft’s Kevin Gallo explains why Microsoft is focusing on this:

“Our goal is to make it easy for developers of all sizes to bring existing code to the one billion devices we expect to see running Windows 10 in the next few years” … HTML/JavaScript, .NET and Win32, Java/C+ + and Windows Phone bring their code to Windows, and provide a way to integrate with Universal Windows Platform capabilities.”


Which Applications are Built for Windows Phone

Applications built for Windows Phone are available via the Windows Phone Store (previously known as the Windows Phone Marketplace).

In March 2016, Windows Central reported that Microsoft’s Windows Phone Store boasted 500,000 apps, just one-third the apps found on Google Play and Apple’s App Store.

Big name apps available for Windows Phone include:

  • Instagram
  • Candy Crush
  • Uber, Twitter
  • Shazam
  • Netflix
  • Dropbox
  • Hulu
  • Starbucks

Mobile Security

As the content consumed around the globe shifts even further from web-based content to content consumed on mobile, it’s critical that anyone developing software for mobile devices is committing to proper security throughout the development cycle.

“Over 7 billion mobile devices are being used today all around the world and their number is multiplying 5 times faster than human beings,” said Emmanuel Benzaquen, CEO of Checkmarx. “With the huge amounts of private information being transferred worldwide through these devices, the need for strong mobile security has become paramount. Mobile application security is a huge challenge and only robust application code can help organizations provide the users with the security they need, expect and deserve.”

Windows Phone Security Vulnerabilities

Applications for Windows Phone are written C++ which presents security concerns for developers and users alike.

Windows Phone Security Vulnerabilities

High-Risk Windows Phone Security Vulnerabilities:

High-Risk C++ Security Vulnerabilities:

Alongside SQL Injections (SQLi), Command Injections and process control issues, which affect many contemporary programming languages, C++ applications also face threats from:

Securing your Windows Phone Code

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst Windows Phone testing solutions as not only the solution which will keep your Windows Phone code free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.

When vulnerabilities are detected in the Windows Phone code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.