5

I have had good experiences recently developing with ASP.NET MVC and am considering whether or not to use it for a project coming up at work. One important consideration though: they sell source code licenses separately as a rule, and it's the kind of application we can't realistically tie to our own hosting without cutting off a large chunk of the potential market.

Is it possible to distribute an ASP.NET MVC application without source code? Or is there a fairly effective (obviously won't be foolproof but it's at least not a "steal me" welcome mat) and safe tool or method for obfuscating MVC applications? I tried a couple obfuscators that supposedly work with ASP.NET but they broke the application because of MVC's reliance on specific file/directory names.

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
nathanchere
  • 8,008
  • 15
  • 65
  • 86
  • 1
    When you mean source code do you mean just like the controllers and models code? Or are you talking about everything including views? Since if your just worried about your cs code then you can just publish your application. That will make a .dll for all your controllers and model code. So they won't be able to look into the .dll and see the code that makes it work. View though won't be put in the .dll but anyone can just go to your site and get the html code by looking at view source. – chobo2 Jan 27 '10 at 22:50
  • 1
    @chobo2: obviously you've never heard of reflector. – NotMe Jan 27 '10 at 22:52
  • 1
    I was about to say that. Download Reflector (http://www.red-gate.com/products/reflector/) and have a look through pretty much any .NET .dll you want, including the GAC. I've not personally seen a secure way of preventing access to a .dll file creating in .NET. – Dan Atkinson Jan 27 '10 at 23:01
  • Chobo: would accept your answer except it's not posted as an answer. – nathanchere Feb 07 '10 at 23:03

1 Answers1

10

1) In the situation you describe where you're distributing code to business entities to host on their servers, this is a legal problem rather than a technical one. While you can deter casual attacks and change the economics of serious ones, a determined attacker will not be deterred by even the best obfuscation available to you.

2) Bear in mind that you may inconvenience your genuine customers. Many .NET developers use a decompiler as part of their normal development workflow, and flow obfuscation can have a performance impact.

3) If, having understood that, you still feel that basic keep-your-door-locked protection is worthwhile Crypto Obfuscator can obfuscate ASP.NET MVC.

Iain Galloway
  • 18,669
  • 6
  • 52
  • 73
  • Yes, I find the assembly watermarking a particularly good feature. If somebody does find out a way to get it (an inevitability, to be sure), then this feature allows you to trace them if they subsequently redistribute it. – Dan Atkinson Jan 27 '10 at 23:07