Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should you obfuscate a commercial .Net application?

I was thinking about obfuscating a commercial .Net application. But is it really worth the effort to select, buy and use such a tool? Are the obfuscated binaries really safe from reverse engineering?

like image 893
lowglider Avatar asked Sep 16 '08 10:09

lowglider


People also ask

Should I obfuscate my app?

Strongly consider utilizing obfuscation and runtime app self-protection if you release software that runs in an untrusted environment and has intellectual property, provides access to sensitive information, or has gated functionality.

Should I obfuscate my code?

It's essential to hide business logic and code to make it harder for attackers to gain access and start debugging and tampering with your app. (They often repackage an application with malicious code.) 3. Code obfuscation can drastically reduce file size, and download times can be reduced drastically as well.

Does obfuscation affect performance?

In general, obfuscation by renaming variables, methods, and classnames to more meaningless names does not impact performance.

What is .NET obfuscation?

Obfuscation is pretty simple (in concept), the idea is to alter your code in such a way that it makes the code much harder for a human to understand if they look at it using . NET reflection.


4 Answers

You may not have to buy a tool - Visual Studio.NET comes with a community version of Dotfuscator. Other free obfuscation tools are listed here, and they may meet your needs.

It's possible that the obfuscated binaries aren't safe from reverse engineering, just like it's possible that your bike lock might be breakable/pickable. However, it's often the case that a small inconvenience is enough to deter would be code/bicycle thieves.

Also, if ever it comes time to assert your rights to a piece of code in court, having been seen to make an effort to protect it (by obfuscating it) may give you extra points. :-)

You do have to consider the downsides, though - it can be more difficult to use reflection with obfuscated code, and if you're using something like log4net to generate parts of log lines based on the name of the class involved, these messages can become much more difficult to interpret.

like image 158
Blair Conrad Avatar answered Oct 20 '22 00:10

Blair Conrad


Remember that obfuscation is only a barrier to the casual examiner of your code. If someone is serious about figuring out what you wrote, you will have a very hard time stopping them.

If you have secrets in your code (like passwords), you're doing it wrong.

If you worried someone might produce your own software with your ideas, you'll have more luck in the marketplace by providing new versions that your customers want, with technical support, and by being a partner to them. Good business wins.

like image 37
Jay Bazuzi Avatar answered Oct 20 '22 00:10

Jay Bazuzi


At our company we evaluated several different obfuscation technologies, but they all had problems. The biggest problem was that we rely a lot on reflection, e.g. to dynamically create grids based upon property names.

So all of the obfuscators rename things, you can disable it of course, but then you lose a lot of the benefit of obfuscation.

Also, in our code we have a lot of NUnit tests which rely on a lot more of the methods and properties being public, this prevented some of the obfuscators from being able to obfuscate those classes.

In the end we settled on a product called .NET Reactor

It works very well, and we don't have any of the problems associated with the other products.

"In contrast to obfuscators .NET Reactor completely stops any decompiling by mixing any pure .NET assembly (written in C#, VB.NET, Delphi.NET, J#, MSIL...) with native machine code. In detail, .NET Reactor builds a native wall between potential hackers and your .NET code. The result is a standard Windows based, not MSIL compatible, file. The original .NET code remains intact, well protected by native code and invisible for prying eyes. The original .NET code is not copied on harddisk at any time. There is no tool which is able to decompile .NET Reactor protected assemblies."

like image 12
RickL Avatar answered Oct 20 '22 02:10

RickL


The fact that you actually can reverse engineer it does not make obfuscation useless. It does raise the bar significantly.

An unobfuscated .NET assembly will show you all the source, highlighted and all just by downloading the .NET Reflector. Add obfuscation to that and you'll reduce very significatively the amount of people who'll be able to modify the code.

It depends on you are you protecting yourself from. If you'll ship it unobfuscated, you might as well open source the application and benefit from marketing. Shipping it obfuscated will only allow people to relatively easily generate modified binaries through patches instead of being able to steal your code and create a direct competitor. Getting the actual source from obfuscated code is very hard, depending on the obfuscator, of course.

like image 7
Vinko Vrsalovic Avatar answered Oct 20 '22 02:10

Vinko Vrsalovic