Posted by on Jun 17, 2013 in Blog, Security | 11 comments

Obfuscation of your software is important. Especially, if you are a independent developer who is trying to make a living creating Windows Phone and Windows Store applications. Why is this important? For starters, do you really like strangers peeping into your windows (no pun intended), prying in and seeing every move you make? In regards to applications, whenever you make your application available to users, you are giving them every opportunity to pry on everything you do. Your intellectual property, trade secrets, source code is readily available to them. For instance, I did a very light search on Bing for my app’s xap (GoGetter) availability on the internet. I found a few sources where you could, if you wanted to, download my app’s xap among other developer’s xap of their applications. No beuno.

GoGetter pirated xap file

 

GoGetter pirated xap file

In case your not familiar with what a xap file is, a xap file is essentially a compiled Silverlight application. All Windows Phone applications are xap files. By renaming the extension of the application from .xap to .zip (myApp.xap -> myApp.zip), you are able to access all of the applications contents. Within the xap, you will see that it contains a application manifest file. Here is an example of what the application manifest file would look like:

You will see that the application manifest file lists all necessary DLL files that are required for your application to work. You will see that there is a DLL file named “myApp”. This DLL would contain most intellectual property, such as trade secrets and source code for the application to work. Of course, it could have other dependent DLLs, as well, such as “TradeSecrets.dll”, “SuperAlgorithm.dll”, etc…

What exactly can you do with these DLLs? Well for starters, you can use tools such as

to decompile the DLLs. A formal definition of decompilation would be:

decompiler is a computer program that performs the reverse operation to that of a compiler. That is, it translates program code at a relatively low level of abstraction (usually designed to be computer readable rather than human readable) into a form having a higher level of abstraction (usually designed to be human readable). Decompilers usually do not perfectly reconstruct the original source code, and can vary widely in the intelligibility of their outputs. Nonetheless, decompilers remain an important tool in software reverse engineering.

Unfortunately, programming languages and frameworks used to build Windows Phone and Windows Store applications, such as C# and the .Net framework, compiles down to MSIL (Microsoft Intermediate Language), which is easy to decompile with tools mentioned above. Here’s an example of a decompilation I did, with JetBrain’s dotPeek, to an open source DLL that is no longer maintained.

Dropboxy decompiled by JetBrain's dotPeek

Kinda of scary to know that without proper obfuscation to your code, anyone – mainly your competitors, can peek their beady little eyes in and take a long romantic stroll through your architecture, trade secrets, and source code.

So, how do you protect yourself then? The first step is to educate yourself and your development team. You and your development team need to know the importance of security in an application’s development lifecycle. Security of an application should be just as, or more, important than the functionality of an application. Your customers shouldn’t be exposed to weak security that could lead to sensitive information being compromised through reverse engineering. It is in your best interest, intellectual property and customer wise, to mediate all conflicts that could occur due to reverse engineering.

Secondly, there are a plethora of options when it comes to obfuscation. You need to educate yourself in the options that you have. It advisable to research each option in terms to functionality, limitations, cost of ownership, and return on investment. Here is a short list of options for you to consider:

I personally recommend Crypto Obfuscator For .Net by LogicNP. Here is a short summary of Crypto Obfuscator features:

  • Powerful Code Protection, Obfuscation, Optimization And Simplified Deployment For Your .Net Apps.
  • Uses sophisticated techniques like symbol renaming, control flow obfuscation, resource protection, metadata reduction, anti-decompiler/disassembler protection, digital watermarking & more!
  • Protect your code and intellectual property from hackers, crackers or competitors
  • Save time and money investment in your software
  • Increase ROI for your business.
  • Save time & money spent handling deployment related issues.
  • Improve performance of your application.
  • Build a fast, light-weight and robust application.
  • Supports .Net 4.5, WinRT/Metro, Silverlight, XAP Files, Windows Phone 7/8, Compact Framework, XNA, XBox & more
  • Supports BAML/XAML Renaming+Resource Encryption For WPF/Silverlight Assemblies.
  • more feature in detail…

I’d like to show you the gist settings I use for obfuscation of my applications. I have other settings in the other tabs, but this is the main bulk of it. This is called my “Go fuq yourself!” settings. I practically enabled most of what I was allowed to protect my Windows Phone app. All settings are based on the allowance of it being a Silverlight application.

Crypto Obfuscator For .Net Settings

Here is a gotcha, blogged by Andrew Whitechapel from the Windows Phone Developer Blog, when obfuscating your Windows Phone or Windows Store application:

The only catch with this is that the Silverlight framework makes extensive use of reflection behind the scenes – and this makes it difficult for an obfuscator to analyze your assemblies correctly to figure out what level of obfuscation is safe.

 

Too much obfuscation may result in runtime errors. Just because your obfuscated code works on one version of the platform doesn’t mean the same obfuscated code will work the same way on another version. For version-resilience, therefore, you should choose obfuscation options conservatively. Specifically, you should generally avoid the code optimization features of obfuscators that eliminate unused code and data, coalesce strings, merge assemblies, and so on.

I hope this helps you sleep better at night after you deployed your applications to the Windows Marketplace. If I missed something, please leave me a note. Thanks!

 

Recommended Reading:



Kindle Edition: Check Amazon for Pricing Digital Only



Kindle Edition: Check Amazon for Pricing Digital Only



Kindle Edition: Check Amazon for Pricing Digital Only

Hi, my name is David. I am a .Net, Silverlight, Windows Phone, Windows 8 developer. I created GoGetter for Windows Phone