If you want to make it really safe (which may not be necessary), then the situation is complicated - you must assume that the player has access to the source code of your application (because he can decompile it) and also has access to all the keys that stored in the application or anywhere on the phone. This means that if your application encrypts an account using a key stored on the phone, then an attacker can do the same with a fake account.
To make it truly secure, you probably need to send some game log to the server, and the server will need to verify that the log is a plausible way to end the game (i.e. the game could be played back that way). To fake an account in this system, an attacker would have to create a game log, which means creating an AI that can play the game better than a person (in order to get a better result). It may still be possible (if the game is convenient for computers), but I think that hardly anyone will bother.
In practice, I think you can simply add some obfuscation to the encoding method of the evaluation (for example, using symmetric encryption with the same key on the server and client). If someone looks at the data sent over the network, they will not be able to easily fake the best result. If they decompile the application, they can still do it, but this is probably unlikely (and you can check the number of points manually to see if there is anything suspicious).
[EDIT: I'm not a WP7 expert, so there might be something special provided by WP7, but basically it will still have the same problem]
Tomas petricek
source share