Xamarin Code Security

Question

I am developing an application which involves payments. I will employ some sort of encryption in the app and also some encryption and security on the server backend.

I want to know to secure my Xamarin code specially when deploying to Android. I know that Xamarin.iOS converts to native code but Xamarin.Android deploys the .Net code in DLL which can easily be decompiled using DotPeek or any other tool and the code will be visible including my encryption keys or any other security related data which is necessary for security between server and my app. Obfuscation is an option but I want to know any other options. Please guide me on this issue because it is of much concern to me.

Answer 1

To answer your question directly: No, there is nothing inherently protecting a Xamarin-compiled Android app from reverse engineering attacks.

Just as you must take action to defend the Android-native code in your APK with tools like ProGuard, the .NET assembly that contains your app's business logic will require you to take special action to obfuscate, encrypt, or otherwise defend the assembly from those prying eyes. With a relatively small .NET toolchain and the interest to go spelunking through Intermediate Language code, one can learn quite a bit about how an app is put together. Just to be clear, ProGuard only obfuscates the app's Java code, and offers no protection for .NET assemblies found within Xamarin-compiled APKs.

As pointed out in your question as well as within the question's commentary, tools like DotPeek, ildasm, ILSpy, and Reflector offer an incredibly easy (and in many cases free!) way to go inspect a .NET assembly and many of these tools offer mechanisms to transform substantial swaths of IL code back to a higher level .NET language like C# or VB.NET. With a little additional effort, these higher-level classes can be plugged into a Visual Studio or Xamarin Studio solution and converted back to running code -- eep! Since Xamarin.Android uses Just-In-Time compilation, in addition to a ProGuard-like solution on your Android-native code, you can implement an obfuscator like Babel for .Net or Crypto-Obfuscator for .Net that offer a host of developer-configurable obfuscation techniques/rules as well as options to encrypt parts of the assembly.

While these tools make the cat-and-mouse game of reverse engineering more difficult, we are ultimately talking about trying to protect client-side code; those that are determined to look at the underlying implementation and have the patience to do so will be able to hunt through the clues left in your binaries and assemblies to start to work out obfuscation or encryption techniques that are in use. While there is no 100% secure tool, mechanism, or security approach, you can reduce risk by applying a layered approach to security with an eye towards the 'risk vs. costs/impact' of spending time both implementing a multi-layered approach and the additional complexity introduced by adoption of these additional security measures. As SilverlightFox recommends, engaging a security professional to audit your application in the context of the rest of your organization's platforms can be an important step towards identifying additional areas for improvement, highlighting potential areas of concern or getting recommendations towards further improving your organization's selected approach to platform security.