(Why) should I use obfuscation?

Question

It seems to me obfuscation is an idea that falls somewhere in the "security by obscurity" or "false sense of protection" camp. To protect intellectual property, there's copyright; to prevent security issues from being found, there's fixing those issues. In short, I regard it as a technical solution to a social problem. Those almost never work.

However, I seem to be the only one in our dev team to feel that way, so I'm either wrong, or just need convincing arguments. Our product uses .NET, and one dev suggested .NET Reactor (which, incidentally, was suggested in this SO thread as well).

.NET Reactor completely stops any decompiling by mixing any pure .NET assembly (written in C#, VB.NET, Delphi.NET, J#, MSIL...) with native machine code.

So, basically, you throw all advantages of bytecode away in one go?

Are there good engineering benefits to obfuscation?

Answer 1

You asked for engineering reasons, so this is not strictly speaking an answer to the question. But I think it's a valid clarification.

As you say, obfuscation is intended to address a social problem. And social (or business) problems, unlike technical ones, rarely have a complete solution. There are only degrees of success in addressing or minimising the problem.

In this case, obfuscation will raise the barriers to someone decompiling and stealing your code. It will discourage casual attacks and, through inertia, may make your intellectual property less likely to be stolen. To make a tiresome analogy, an immobiliser doesn't prevent your car being stolen, but it will make it less likely.

Of course there is a cost, in maintainability, (possibly) in performance and most importantly in making it harder for users to accurately submit bug reports.

As GateKiller said, obfuscation won't prevent a determined team from decompiling, but (and it depends what your product is) how determined a team is likely to be attacking you?

So, this is not a technical solution to a social problem, it's a technical decision which adds one influence to a complex social structure.

Answer 2

If a big team of programmers really want to get at your source code and that had the time, money and effort, then they would be successful.

Obfuscation, therefore, should stop people who don't have the time, money or effort to get your source, passers by you might call them.

Answer 3

If you stick to pure managed code obfuscation, you can shave off quite a bit of an assembly size, and obfuscated classes/function names (collapsed to single letters) mean smaller memory footprint. This is almost always negligible, but does have an impact (and is used) on some mobile/embedded devices (though mostly in java).