Isolated Storage misunderstanding

Question

This is a discussion between me and me to understand an Isolated Storage issue. Can you help me to convince me about Isolated Storage?

This is code written for a Windows Forms application (reader) that read the isolated storage of another Windows Forms application (writer) which is signed. Where is the security if the reader can read the writer's file? I thought only signed code can access the file!

If all .NET applications are born equal and have all permissions to access Isolated Storage, where is the security then? If I can install and run an EXE file from Isolated Storage, why I don't install a virus and run it, I am trusted to access this area. But the virus or whatever will not be trusted to access the rest of file system, it only can access the memory, and this is dangerous enough.

I cannot see any difference between using the application data folder to save the state and using Isolated Storage except a long nasty path!!

I want to try give low trust to reader code and retest, but they said "Isolated storage is actually created for giving low trusted application the right to save its state".

Reader code:

 private void button1_Click(object sender, EventArgs e)
 {
     String path = @"C:\Documents and Settings\All Users\Application Data\IsolatedStorage\efv5cmbz.ewt\2ehuny0c.qvv\StrongName.5v3airc2lkv0onfrhsm2h3uiio35oarw\AssemFiles\toto12\ABC.txt";
     StreamReader reader = new StreamReader(path);
     var test = reader.ReadLine();
     reader.Close();
 }

Writer:

private void button1_Click(object sender, EventArgs e)
{
    IsolatedStorageFile isolatedFile = IsolatedStorageFile.GetMachineStoreForAssembly();
    isolatedFile.CreateDirectory("toto12");

    IsolatedStorageFileStream isolatedStorage = new IsolatedStorageFileStream(@"toto12\ABC.txt", System.IO.FileMode.Create, isolatedFile);
    StreamWriter writer = new StreamWriter(isolatedStorage);
    writer.WriteLine("Ana 2akol we ashrab kai a3eesh wa akbora");
    writer.Close();
    writer.Dispose();
}

Answer 1

I agree about your "misunderstand" in the title; I think you're misunderstanding the purpose of isolated storage.

As I understand it the "isolated" does not mean "private storage that other programs can't access". It means a "sandbox" to give your low-trust program a place where it can save data when it might not have permission to write to somewhere else.

Answer 2

Of course you can reach any (known) location on the hard drive using your reader code, assuming that you have adequate permissions to access that location.

There are no special permissions applied to the IsolatedStorage area, but there are rules that apply to the low trust applications that use IsolatedStorage how it was intended to be used. There is absolutely nothing to prevent you from encrypting what you store there if you want to keep it private.

Edit: check out CLR Inside Out - Isolated Storage In Silverlight 2 and Silverlight out-of-browser apps: Local Data Store.