Up, Up, and Away!

Keep your hands off my xap! – Obfuscating your Windows Phone and Windows Store code.

Obfuscation of your software is important. Especially, if you are a independent developer who is trying to make a living creating Windows Phone and Windows Store applications. Why is this important? For starters, do you really like strangers peeping into your windows (no pun intended), prying in and seeing every move you make? In regards to applications, whenever you make your application available to users, you are giving them every opportunity to pry on everything you do. Your intellectual property, trade secrets, source code is readily available to them. For instance, I did a very light search on Bing for my app’s xap (GoGetter) availability on the internet. I found a few sources where you could, if you wanted to, download my app’s xap among other developer’s xap of their applications. No beuno.

GoGetter pirated xap file


GoGetter pirated xap file

In case your not familiar with what a xap file is, a xap file is essentially a compiled Silverlight application. All Windows Phone applications are xap files. By renaming the extension of the application from .xap to .zip (myApp.xap ->, you are able to access all of the applications contents. Within the xap, you will see that it contains a application manifest file. Here is an example of what the application manifest file would look like:

You will see that the application manifest file lists all necessary DLL files that are required for your application to work. You will see that there is a DLL file named “myApp”. This DLL would contain most intellectual property, such as trade secrets and source code for the application to work. Of course, it could have other dependent DLLs, as well, such as “TradeSecrets.dll”, “SuperAlgorithm.dll”, etc…

What exactly can you do with these DLLs? Well for starters, you can use tools such as

to decompile the DLLs. A formal definition of decompilation would be:

decompiler is a computer program that performs the reverse operation to that of a compiler. That is, it translates program code at a relatively low level of abstraction (usually designed to be computer readable rather than human readable) into a form having a higher level of abstraction (usually designed to be human readable). Decompilers usually do not perfectly reconstruct the original source code, and can vary widely in the intelligibility of their outputs. Nonetheless, decompilers remain an important tool in software reverse engineering.

Unfortunately, programming languages and frameworks used to build Windows Phone and Windows Store applications, such as C# and the .Net framework, compiles down to MSIL (Microsoft Intermediate Language), which is easy to decompile with tools mentioned above. Here’s an example of a decompilation I did, with JetBrain’s dotPeek, to an open source DLL that is no longer maintained.

Dropboxy decompiled by JetBrain's dotPeek

Kinda of scary to know that without proper obfuscation to your code, anyone – mainly your competitors, can peek their beady little eyes in and take a long romantic stroll through your architecture, trade secrets, and source code.

So, how do you protect yourself then? The first step is to educate yourself and your development team. You and your development team need to know the importance of security in an application’s development lifecycle. Security of an application should be just as, or more, important than the functionality of an application. Your customers shouldn’t be exposed to weak security that could lead to sensitive information being compromised through reverse engineering. It is in your best interest, intellectual property and customer wise, to mediate all conflicts that could occur due to reverse engineering.

Secondly, there are a plethora of options when it comes to obfuscation. You need to educate yourself in the options that you have. It advisable to research each option in terms to functionality, limitations, cost of ownership, and return on investment. Here is a short list of options for you to consider:

I personally recommend Crypto Obfuscator For .Net by LogicNP. Here is a short summary of Crypto Obfuscator features:

  • Powerful Code Protection, Obfuscation, Optimization And Simplified Deployment For Your .Net Apps.
  • Uses sophisticated techniques like symbol renaming, control flow obfuscation, resource protection, metadata reduction, anti-decompiler/disassembler protection, digital watermarking & more!
  • Protect your code and intellectual property from hackers, crackers or competitors
  • Save time and money investment in your software
  • Increase ROI for your business.
  • Save time & money spent handling deployment related issues.
  • Improve performance of your application.
  • Build a fast, light-weight and robust application.
  • Supports .Net 4.5, WinRT/Metro, Silverlight, XAP Files, Windows Phone 7/8, Compact Framework, XNA, XBox & more
  • Supports BAML/XAML Renaming+Resource Encryption For WPF/Silverlight Assemblies.
  • more feature in detail…

I’d like to show you the gist settings I use for obfuscation of my applications. I have other settings in the other tabs, but this is the main bulk of it. This is called my “Go fuq yourself!” settings. I practically enabled most of what I was allowed to protect my Windows Phone app. All settings are based on the allowance of it being a Silverlight application.

Crypto Obfuscator For .Net Settings

Here is a gotcha, blogged by Andrew Whitechapel from the Windows Phone Developer Blog, when obfuscating your Windows Phone or Windows Store application:

The only catch with this is that the Silverlight framework makes extensive use of reflection behind the scenes – and this makes it difficult for an obfuscator to analyze your assemblies correctly to figure out what level of obfuscation is safe.


Too much obfuscation may result in runtime errors. Just because your obfuscated code works on one version of the platform doesn’t mean the same obfuscated code will work the same way on another version. For version-resilience, therefore, you should choose obfuscation options conservatively. Specifically, you should generally avoid the code optimization features of obfuscators that eliminate unused code and data, coalesce strings, merge assemblies, and so on.

I hope this helps you sleep better at night after you deployed your applications to the Windows Marketplace. If I missed something, please leave me a note. Thanks!


Recommended Reading:

Visual Studio 2012 and .NET 4.5 Expert Development Cookbook (Kindle Edition)

List Price: Price Not Listed
Kindle Edition: Check Amazon for Pricing Digital Only

Hacking Web Apps: Detecting and Preventing Web Application Security Problems (Kindle Edition)

List Price: Price Not Listed
Kindle Edition: Check Amazon for Pricing Digital Only

Hi, my name is David. I am a .Net, Windows Phone, Windows 8 developer. I created @gogetter for Windows Phone

about newsletter

Support my gambling addiction.

Donate via Paypal
Filed under: Blog, Security
  • dalydose

    That was a whole lotta “me no understand”, but yet it scared me all the same. :)

    • davidarodriguez

      How do I LIKE your comment? hehe.

    • davidarodriguez

      How do I LIKE your comment? 😉

      • Brandon

        click the ^ :)

  • Brandon

    You really need to add some sharing options for your posts, dude!

    • davidarodriguez

      Just added the share buttons sir! Thanks for helping me. Have a good day amigo!

  • Neil Haughton

    Just open source your code – then you have no secrets to get paranoid about. If you truly have something genuinely novel in your code (most likely not), patent it. If you can’t patent it, it’s not novel so there’s no point in trying to keep it secret.

    • Tom Tucker

      An ounce of prevention…
      LIke I really want to patent my code so I can always be decompiling others software to see if they are using my patented code. What if they steal my patented code and then Obfuscated it so I couldnt tell?

    • davidarodriguez

      Open source is not an option for me, or really anyone who is developing apps for the Marketplace in order to make profit. With that said, I say any type of prevention is good prevention. I know that obfuscation can be reversed engineered, however, I’d like to make it harder for my code to be attained by obfuscating it. Filling for a patent is a good idea. However, I don’t think most independent developers have a spare 10k-15k, minimum, to spend on a patent. Government filing fees can start at $500 minimum, along w/ any type of professional drawings, schematics to be associated to the filing, which can be another $400-$500 dollars minimum.

      You probably could find a cheap attorney, however, you get what you pay for. Attention to detail is important in filing for a strong patent vs. a weak one. In order to get a strong patent, it requires more claims and attention to providing adequate disclosure, description in detail all the variations, options, and embodiments as much as possible.

  • n00bhunter
    • davidarodriguez

      Really interesting. I’ll have to look into this more. Thanks for sharing.