Marketplace, Please Update my Previously Purchased Apps

The Windows Marketplace for Mobile is available to Windows Mobile 6.5 users and will be available to 6.0 and 6.1 users by the end of the month. You've installed all of your previous applications onto your phone and have started the Marketplace application only to make a disappointing discovery; the Marketplace client doesn't update your applications that you acquired before the release of the Marketplace! Right now if you wanted to receive the updates through the Marketplace application you would need to repurchase the application. Why won't the Marketplace application perform the updates?

I'm of the opinion that it's perfectly valid and justifiable that the Marketplace not perform this task. To illustrate why let's say that we were to try to move forward with providing such functionality and examine some of the obstacles that could be encountered.

The Application ID

When a developer uploads an application into the Marketplace the application is assigned an ID.  When a customer purchases an application it is noted that the user now has authorization to access the application with that ID.  As long as the developer continues to make updates to that application under the same ID the user can continue to receive updates for the application.  If the developer decides that he no longer wants the users to get free updates on an application the developer can just upload the application under a new ID. As a result the users will not receive that application unless he or she purchases the new version (which despite possibly having the same title may have a different application ID).  Making application updates available to users that had purchased applications outside of the Marketplace in an automatic fashion would require an automated method of identifying the applications that are already present on the user's device and then mapping those applications to IDs within the marketplace. Let's look closer at identifying the application.

Identifying an Application

So how does one identify that an application is present.  The quick and dirty solution would be to scan the list of programs that are listed within the "Remove Programs" application on the phone. But such a solution is flawed.  I could easily make a fake program that has the same title as an existing application and install it to make it look like I have that application.  If you are familiar with making installations for Windows phones then you know that there's more to an application's identity than just the applications title.  But the same concept still applies.  It is possible to make a fake installation that matches other attributes of the real application.  As more attributes are used to identify the application it becomes more difficult to fake its identity. 

Something else that can be examined is attributes of the program's files. We could examine the length and checksum of the files that compose a program installation to raise success rate of the process of identification. But the solution would require that the developer gather all identifying information on the different versions and permutations of their application installation and upload those to a Microsoft database so that it could identify these applications.

Still missing is authenticating that a developer that claims to have made a specific application truly is the owner of that application.  Without authentication a malicious developer could claim another application to be their own and use it to overwrite the programs of a competitor.  As an illustration, let's say that I decide to make an application that competes with some one's twitter client (such as PocketTwit).  The developer could gather these identifying attributes of the PocketTwit application and upload those applications while making the claim that these attributes are part of an older version of their own application (let's call this fake application PurseTweet). As users of PocketTwit begin to use the Marketplace application it would mismatch their application for my PurseTweet application and notify them that an update was available.

So You Have the Application, but Are You Entitled to having it?

Once the identity of an application is verified does that mean that it is a safe conclusion that the user is elegible for an application update?  It is hard to say.  Different developers have different conditions and licensing restrictions for their software. Some don't care if you freely copy their software around.  Other's want only purchasers of the application to have the right to run it on their devices.  And still others want to ensure that their software is restricted to running on one device per purchase regardless of how many devices that the user owns.  My point here is that the application could have been acquired in or out of compliance with the conditions that the developer has defined.  The assumption that all software on the device was acquired in compliance would open the Marketplace to several exploits.  All one would need to do is acquire software in some method that is outside of compliance (copying from another device, download from a warez site, or even though the currently available exploits that expose a cab for copying) and that one act would provide the user with a string of free application updates.

But I have an Unlock Code.  Doesn't that prove that I have Genuine access to the Application?

The possession of a license code doesn't help the situation much.  Prior to the Marketplace each developer that used activation codes had their own method of interpreting the codes and verifying that the codes were authentic.  Most activation codes must be validated against some algorithm or pattern that varies from one developer to another or from one application to another. These codes could either provide complete access to the software title or only provide access to portions of the features of the software. For these codes to be consumable by the Marketplace the developer would need to be able to share the algorithm that their software used with the Marketplace system. For some developers this may not be an issue. For other developers the pattern used by their activation solution may be intellectual property that the developer does not want to share.  There are even some applications for which the activation solution was purchased from a third party and thus the developer may not have that information.

Does This Mean that Purchasers of Pre-Marketplace Applications are Out of Luck?

No, it doesn't.  Though the solution for this problem is not yet available.  But Microsoft will enable developers with the ability to create vouchers for their software. The developer can use the methods that they feel appropriate to decide whether or not a user has authentic access to their software.  If the developer gives a user a voucher then the user can become authorized to download and receive updates for an application without a fee. Once the ability to issue vouchers is made available then the developer can issue vouchers to user's that had purchased applications from outside of the Marketplace.

Note that a developer is not obligated to do this.  A developer can decide to keep their Marketplace customers and non-Marketplace customers managed differently.  Items purchased outside of the Marketplace in some cases will result in more money in the developers pocket because of the lack of the 30% commission and VAT being subtracted.  Or a developer just may not feel like even bothering with the effort to move their customers to the Marketplace. I won’t get into a discussion of whether or not it’s justifiable for a developer to not move a customer over. Regardless of whether it’s right or wrong Microsoft is allowing the developers to be the decision maker's for their own software. Microsoft is only acting as a distributer for the software.