The Windows Phone 7 platform offers isolated storage that works in the same way that the isolated storage APIs for the Microsoft® Silverlight ® browser plug-in work in Windows. Isolated storage provides a dictionary-based model for storing application settings, and it enables the application to create folders and files that are private to the application.
Figure 2 shows how each application on a Windows Phone 7 device only has access to its own, private storage on the device, and cannot access the storage belonging to other applications.
Tailspin does not encrypt the data that the mobile client application stores in isolated storage because it does not consider the data that the application uses to be confidential. This may not be true of all Windows Phone 7 applications, and you must consider whether your application should take steps to protect any data that it stores on the phone.
Note: The sample application stores user names and passwords in plain text in isolated storage. In a real application, you should take steps to protect any stored credentials, perhaps by using a salt and hash when you store passwords in isolated storage.
There are two scenarios to think about when you are implementing security for data stored on the phone. The first is whether other applications on the phone could potentially access your application’s data and then transmit it to someone else. The isolated storage model used on Windows Phone 7 that limits applications to their own storage makes this a very unlikely scenario. However, security best practices suggest that you should guard against even unlikely scenarios so you may want to consider encrypting the data in your application’s isolated storage.
The second scenario to consider is what happens if an unauthorized user gains access to the device. If you want to protect your data in this scenario, you must encrypt the data while it is stored on the device. The Windows Phone 7 API includes support for several cryptographic algorithms that can help you securely encrypt your data.
Tailspin used isolated storage and serializable model classes to store the application’s setting and survey data. The initial release of the Windows Phone 7 platform does not include a version of SQL Server Compact edition, but the developers at Tailspin would like to have the option to move to this storage platform if it becomes available in the future. They have implemented the storage service in the application in a way that makes it easy to replace the storage classes with alternative implementations if they decide to use a different storage technology in the future. The current implementation also makes it easy to test the storage functionality in the application.