Obfuscation in Xamarin Projects

Question

As you know Xamarin projects are compiled into dot net dll assembly and it'll be pack into apk file and can be easily reflected by reflectors like DotPeek.

My first question is: How can we protect our code?

My second question is: Do obfuscator tools like SmartAssembly are usable in Xamarin projects or Xamarin projects won't support them?

Answer 1

The best way to protect your .NET code (.DLLS) for APKs is to enable Ahead Of Time (AOT) compilation:

AOT compilation will compile your applications IL code (.dlls) into native instructions. The final code that is packaged into the APK is then X86, arm etc instructions rather than managed IL code.

AOT compilation is only available in Enterprise and higher licenses.

While AOT increases the difficulty of reverse engineering, it's still not 100% fool-proof. The final binaries can still be pulled from a rooted device and reverse engineered using software like IDA pro. It's a lot harder than using DotPeek but its still possible.

It is also important to note the down sides of enabling AOT compilation. Application builds times increase significantly as every assembly referenced by your app needs to be compiled; my experiences indicated that you should expect a 200%-300% increase in build times when AOT is enabled.

Additionally, AOT compilation will increase the final APK size.

Answer 2

Dotfuscator has support for Xamarin and instructions are online (for Dotfuscator Professional or the free Community Edition) for how to integrate it. In essence, the process is:

1. Configure the build to run Dotfuscator via an AfterBuild target
2. Configure Dotfuscator:
   1. Specify the inputs
   2. Exclude things from renaming, as usual / as needed
   3. Only use Mono-compatible transforms (Pro-only)
3. Configure a Copy task or post-build event to copy the obfuscated binaries back to their original locations
4. Build, verify obfuscation, and test

Full disclosure: I work for PreEmptive Solutions.

Answer 3

For your first question, it is possible to use some tools for obfuscating your Xamarin code. For example, Crypto Obfuscator, Babel Obfuscator, and Dotfuscator

For your second question, it seems SmartAssembly obfuscation is possible. Check the Windows Phone part here.

Answer 4

There's no way you can fully 100% protect your code from being decompiled and looked into.

You could spend a lot of time hashing all of your methods and variables and then spend another lot of time creating some sort of application interpreter that will understand your obfuscated code, but even that will be looked into, investigated and eventually cracked.

Also see: How can I protect my .NET assemblies from decompilation?

Protect .NET code from reverse engineering?