When the Windows Marketplace for Mobile was first announced, not much was known about the security model that it was going to use. As a quick review, I'll refer back to something that I posted a few months ago in another blog entry.
"Applications distributed through the Windows Mobile Market Place are tied to a Live ID Account. This should help protect against piracy while at the same time minimizing the amount of inconvenience that a user experiences from software protection."
That didn't really tell us how it was working, it is more of an expression of intent. Today Microsoft released another document that provides more detailed information on their copy protection scheme and the options that a developer has. The complete paper is 12 pages and you can find it here. I'll try to summarize what you'll find in it.
To summarize, there are two levels of protection that an application can have, Standard and Advanced.
For the Standard protection level, there's nothing that you need to do to your cab. When the application is purchased, the phone downloads the cab, installs it, and deletes the cab to ensure it is not around to be copied. If the purchaser pays for their application on the Web, the cab file is not transferred to his or her computer. Instead the purchaser is instructed to start up the Marketplace application on his or her phone so that the download can begin. If you'd like a stronger form of protection, then you can use the Advanced security option.
For the Advanced option, there are code changes that you will need to make to your application. The application will be bound to a license key and the lines of code that you add to your application checks for the presence of the device-bound license files. For this level of protection, you start the application submission process and enter your application data in the developer's portal and get back a few lines of code to be added to your application. You can then compile your application and prepare it for being submitted. When a user purchases the device, both the application and a license key are delivered to the device. The lines of code that were received from the developer's portal will ensure that a valid license is present and allows the developer to decide on a course of action if the key is not present. The validation all takes place on the phone so no external Internet connection is needed.
For more details, see the paper at the link provided above. At the time of this writing, the feature is not yet available in the developers' portal, so I cannot yet review it.