Should you obfuscate a commercial .Net application?

c# .net obfuscation

I was thinking about obfuscating a commercial .Net application. But is it really worth the effort to select, buy and use such a tool? Are the obfuscated binaries really safe from reverse engineering?


Solution 1:

You may not have to buy a tool - Visual Studio.NET comes with a community version of Dotfuscator. Other free obfuscation tools are listed here, and they may meet your needs.

It's possible that the obfuscated binaries aren't safe from reverse engineering, just like it's possible that your bike lock might be breakable/pickable. However, it's often the case that a small inconvenience is enough to deter would be code/bicycle thieves.

Also, if ever it comes time to assert your rights to a piece of code in court, having been seen to make an effort to protect it (by obfuscating it) may give you extra points. :-)

You do have to consider the downsides, though - it can be more difficult to use reflection with obfuscated code, and if you're using something like log4net to generate parts of log lines based on the name of the class involved, these messages can become much more difficult to interpret.

Solution 2:

Remember that obfuscation is only a barrier to the casual examiner of your code. If someone is serious about figuring out what you wrote, you will have a very hard time stopping them.

If you have secrets in your code (like passwords), you're doing it wrong.

If you worried someone might produce your own software with your ideas, you'll have more luck in the marketplace by providing new versions that your customers want, with technical support, and by being a partner to them. Good business wins.

Solution 3:

At our company we evaluated several different obfuscation technologies, but they all had problems. The biggest problem was that we rely a lot on reflection, e.g. to dynamically create grids based upon property names.

So all of the obfuscators rename things, you can disable it of course, but then you lose a lot of the benefit of obfuscation.

Also, in our code we have a lot of NUnit tests which rely on a lot more of the methods and properties being public, this prevented some of the obfuscators from being able to obfuscate those classes.

In the end we settled on a product called .NET Reactor

It works very well, and we don't have any of the problems associated with the other products.

"In contrast to obfuscators .NET Reactor completely stops any decompiling by mixing any pure .NET assembly (written in C#, VB.NET, Delphi.NET, J#, MSIL...) with native machine code. In detail, .NET Reactor builds a native wall between potential hackers and your .NET code. The result is a standard Windows based, not MSIL compatible, file. The original .NET code remains intact, well protected by native code and invisible for prying eyes. The original .NET code is not copied on harddisk at any time. There is no tool which is able to decompile .NET Reactor protected assemblies."

Related

How to close a SQLAlchemy session?
Speed up bitstring/bit operations in Python?
What is the difference between reg and wire in a verilog module
Regular expressions with validations in RoR 4
How to add "provided" dependencies back to run/test tasks' classpath?
Aggregate function in SQL WHERE-Clause
How to analyze information from a Java core dump? [closed]
How to create singleton class in objective C
unix - count of columns in file
How can I use the python HTMLParser library to extract data from a specific div tag?
How to Disable Spell Checking for All My Projects
Compare two Lists for differences