Is it possible to extract the code of a Xamarin Android application and inspect it?
I am in last stages of one Application which would be soon released on Play Store. However, I am worried if the code could be extracted and looked at by other people.
Please advise, how to secure my App from other people looking at the code for it.
Yes, it is possible to extract the code of a Xamarin.Android application. By default, the .dll files are just resources inside the APK, and they can be extracted with a zip utility and examined with e.g. ILSpy.
The Xamarin docs explain how to protect your application, including:
Disable debugging
Obfuscate with Dotfuscator
Bundle assemblies into native code (but see below)
Use AOT (native) compilation (but see below)
Note that #3 requires an Enterprise license and just puts the .NET .dlls a layer deeper in the APK; it is still possible to extract them and they are still unobfuscated.
Note that #4 is explicitly listed as an experimental feature that should not be used in production.
Full disclosure: I work for PreEmptive Solutions, and we make Dotfuscator.
You can select Ahead Of Time (AOT) compilation.
That won't prevent extraction, but will made it very difficult to do. On top of that, you can use
Crypto Obfuscator.
I would suggest to read about SafetyNet as well, which provides a set of services and APIs that help protect your app against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users:
https://developer.android.com/training/safetynet/index.html
Obfuscating of Xamarin Android apps is of no sense (you can turn on "Enable ProGuard" option if you want but it will not Obfuscate your code) its better to turn on "Embed assemblies to native code" which will convert all code into a binary .so file. and it will make it difficult for hacker or reverse engineer to read that code and do reverse engineering AOT but that is in experimental and might create problem for some device after updated on play store. in order to play safe i would suggest to go with "Embed assemblies to native code"
Related
When we want to use a native shared library, we have to have the header files. So when we publish the software, others do not have the header files and they can not use the library.
But the managed library does not need any headers. Because you can simply use add reference in Visual Studio and use Object Browser to see all the classes and namespaces.
So when we publish our application with managed library, not only others can use our library in their own project (whether it is obfuscated or not), but also they can decompile it and see the whole source code if it is not obfuscated.
Is it true?
How can we secure our managed library?
Well, that's perfectly safe. In practice the main impact of having users able to see (a decompiled approximation of) the workings of the library is that you sometimes get a higher quality of bug report from them.
Software companies like Microsoft manage to eke a living despite consumers being able to decompile their libraries, or indeed just read the published source.
But if you really want to prevent it then being managed does not preclude being obfuscated.
There are several obfuscators available, and if you really want to get in the way of your users, you can ilmerge in the library to a make a single obfuscated executable, so they can't even use the library, never mind give you useful feedback copy your code.
I am interested in this new platform - Tidekit. But I couldn't find any answer to my questions:
Is it possible to add C# (or at least C++/JAVA) code or Dll libraries to the solution?
Is it possible to make a package with html+js+css and native code (C#/C++/Java) working in one executable file or executable + dlls?
There are already working solutions like CefSharp, Awesomium, but there is a problem to make external resources (html, css, js) embedded inside the project.
I would like to hide my implementation from end users somehow.
I'll appreciate any answer related to my questions.
We don't support C#, but yes to the rest.
Again, no C#, but yes to answer this question.
Further explanation below:
We've developed TideKit to have a small and stable core so that the apps can be built up in a modular way with the functionality you want in your app. TideKit provides simultaneous extension in ObjC++, C++, Java, and JavaScript for web, HTML5 hybrid and native apps.
Generally, developers will consume modules without the need to write lower level code because the functionality already exists both natively and for HTML at the same time. So mostly it is about consuming modules and writing your app in JavaScript.
Modules allow a project to be built for desktop, mobile and web from a single base of code. TideKit is a uniquely develop once, deploy everywhere platform with easy-to-use JavaScript APIs and CommonJS modularity. The best way to write TideKit apps is CommonJS. More than 60K modules of CommonJS functionality is available through npm and components registries. Folks familiar with nodejs will be at home with it. You can also write conventional JavaScript or easily migrate an existing TideSDK app.
Automated packaging, installers, and distribution are part of our solution. There are packaging options that can provide bundled or network installs to take advantage of dynamic libraries for efficient runtime code to keep the amount of installable and distributable code to a minimum.
TideKit has the capability to build in different ways from your project source to optimize for AppStore compliance or even highest HTML5 compliance. You can use it to build HTML5 or native apps for virtually any platform you wish to support. On the backend, we have capabilities for the widest range of mobile and desktop operating systems and for web deployments. Beyond building your app simultaneously for multiple platforms, you can also develop, test, and deploy your APIs from the same base of code.
Our build service protects your code from exposure by encrypting and embedding the sources in a binary. Hope this helps.
I think it is possible to use DLL's with something in between using Ti.Process...
the idea to execute a DLL is to have something in return (a very especific process, only for windows desktop I believe). I'm facing the same challenge but I guess I will approach to Ambiance Air App which uses a DLL to validate the license of the product...
in short it could be
var myScript = Ti.Process.createProcess({
args:['python',Ti.API.application.resourcesPath + "/??????"]
//the unknown command for the exe that uses the dll? it should return an object! not even functions...
});
myScript.myObject;
I have written a program in c# with Vistual studio 2008.
I've compiled and build it and got a .EXE file. My question is this - if I give someone else this .EXE file can he in any way see the source code? functions, variables, calls, stack states, anything? I wish to keep those as discreet as possible.
They can use a tool like Reflector to decompile the executable, this will not be identical to your code, but they will be able to see most of what you wrote. It is a free tool, so you can download it to see what it can do with your exe.
You will need to obfuscate your code if you want to keep others from seeing it easily (though even that can be overcome with enough time and determination). A tool you can use for this is dotfuscator.
According to this SO post, one can reverse engineer a given executable and obtain the code that was used to build it. This msdn blog shows some ways you can make the process of reverse engineering a bit tougher, mainly through the use of obfuscation.
The exact same source code as you have written it no. But he could use tools like Reflector to disassemble it. In order to make the disassembled code difficult to read you could obfuscate it.
Yes.
You can use reflector to decompile any .net assembly.
http://www.red-gate.com/products/dotnet-development/reflector/
There are tools that will obfuscate your code. But it will still be visible. Security by obscurity does not work anyway.
As all have said - it's easy to decompile an assembly. Obfuscation offers very little real protection unless you're using some of the really high end commercial tools. The key things to really watch out for is if you have things like encryption keys or security tokens/credentials in your source code these are pretty easy to find.
There are a range of products available that will allow you to compile a .net app to native code which offers much greater protection.
i'm totally new to .net especially with c# 3.0 and i'm working on an access database wrapper application because we need to protect the password and content of the database from being directly accessed by a third party developer.
I'm currently testing to write a simple client app to trigger the functions in the dll and to my suprise, everytime i hit a bug i can see all the source codes in this project which shows the exact source code.
So i know i'm probably missing a lot of obvious stuff here, but how do i code it so that this won't happen, so we can hide the code in the dll from the third party developer? Or is this a setting thing which only happens because both projects is in my pc?
thanks :)
Updates:
After some browsing around, i found this previous discussion on good obfuscation tool
and i try this one tool called Eazfuscator.Net and after obfuscating the dll, i try to view it again using .net reflector or debug it via vs express2008, nothing shows no more :)
You're seeing the exact code because the source is on your machine, however, it will be trivial for your third-party developer to reverse engineer the code from the DLL using a tool such as Reflector. To prevent something like this, you may want to use a code obfuscation utility, such as Dotfuscator (you may want the paid version instead of the community version), to make it more difficult to reconstruct the code from the intermediate code.
I wrote a windows application using C# .Net 2.0 and i want to do something which hide the source code, so when any one use refactor tool can't see the source code.
I used dotfuscator but it just changed the function names but not all the source code.
UPDATE:
I want to hide the source code, not because of hiding the key, but to hide how the code is working.
Thanks,
IL is by definition very expressive in terms of what remains in the body; you'll just have to either:
find a better (read: more expensive) obfuscator
keep the key source under your control (for example, via a web-service, so key logic is never at the client).
Well, the source code is yours and unless you explicitly provide it, youll perobably only be providing compiled binaries.
Now, these compiled binaries are IL code. To prevent someone "decompiling" and reverse engineering your IL code back to source code, you'll need to obfuscate the IL code. This is done with a code obfuscator. There are many in the marketplace.
You've already done this with dotfuscator, however, you say that it only changed the function names, not all the source code. It sounds like you're using the dotfuscator edition that comes with Visual Studio. This is effectively the "community edition" and only contains a subset of the functionality of the "professional edition". Please see this link for a comparison matrix of the features of the community edition and the professional edition.
If you want more obfuscation of your code (specifically to protect against people using tools such as Reflector), you'll need the professional edition of Dotfuscator, or another code obfuscator product that contains similar functionality.
As soon as people get a hand on your binaries they can reverse-engineer it. It’s easier with languages that are compiled to bytecode (C# and Java) and it’s harder with languages that are compiled to CPU-specific binaries but it’s always possible. Face it.
Try SmartAssembly
http://www.smartassembly.com/index.aspx
There are limits to the lengths obfuscation software can go to to hide the contents of methods, fundamentally changing the internals without affecting the correctness (and certainly performance) is extremely hard.
It is notable that code with many small methods tends to become far harder to understand once obfuscated, especially when techniques for sharing names between methods that would appear to collide to the eye but not to the runtime are employed.
Some obfuscators allow the generation of constructs which are not representable in any of the target languages, the set of all operations allowable in CIL for example is way more than that expressible through c# or even C++/CLI. However this often requires an explicit setting to enable (since it can cause problems). This can cause decompilers to fail, but some will just do their best and work around it (perhaps inlining the il it cannot handle).
If you distribute the pdb's with the app then even more can inferred due to the additional symbols.
Just symbol renaming is not enough of a hindrance to reverse-engineering your app. You also need control flow obfuscation, string encryption, resource protection, meta data reduction, anti-reflector defenses, etc, etc. Try Crypto Obfuscator which supports all this and more.
Create a setup project for your application and install the setup on your friends computer like a software. There are 5 steps to creating the setup project using microsoft visual studio.
Step 1: Create a Sample .Net Project. I have named this project as "TestProject" after that build your project in release mode.
Step 2: Add New Project using right click on your solution and select setup project and give the name this as "TestSetup".
Step 3: Right click on setup project and Add primary Output and select your project displayed.
Step 4: Right Click the setup project and select View-> File System -> Application Folder. Now copy what you want to be in installation folder.
Step 5: Now go to our project folder and open the release folder you can get the setup.exe file here. Double click on the "TestSetup" file and install your project to your and other computer.