22

As you know Xamarin projects are compiled into dot net dll assembly and it'll be pack into apk file and can be easily reflected by reflectors like DotPeek.

My first question is: How can we protect our code?

My second question is: Do obfuscator tools like SmartAssembly are usable in Xamarin projects or Xamarin projects won't support them?

Lex Li
  • 60,503
  • 9
  • 116
  • 147
Ali Bahrami
  • 5,935
  • 3
  • 34
  • 53
  • 1
    Most (all?) obfuscators will work since you are talking talking CIL-based assemblies (w/ the same pro/cons of any .Net/Mono environment). For Xamarin.Android you can also enable "Enable assemblies in native code" if you are a VS Enterprise user. This will embed the assemblies into the NDK-based runtime library. Reverse engineers will have to spend more time finding the pointing/ending points to extract, but like any CIL-based obfuscation anyone that wants to spend the time to RE it can, no matter which obfuscation you use. – SushiHangover Apr 05 '16 at 10:12
  • Why use the iOS tag? Xamarin.iOS uses AOT to compile to native already. – Lex Li Apr 05 '16 at 11:06
  • @LexLi thanks for mention it. I just removed the tag. – Ali Bahrami Apr 05 '16 at 11:21
  • 1
    Well Java can be easily decompiled from Android .apk as well. So if you are trying to reach similar "security" to what Android provides - you already have it. – Ivan Kirkorau Apr 05 '16 at 15:02

4 Answers4

12

The best way to protect your .NET code (.DLLS) for APKs is to enable Ahead Of Time (AOT) compilation:

enter image description here

AOT compilation will compile your applications IL code (.dlls) into native instructions. The final code that is packaged into the APK is then X86, arm etc instructions rather than managed IL code.

AOT compilation is only available in Enterprise and higher licenses.

While AOT increases the difficulty of reverse engineering, it's still not 100% fool-proof. The final binaries can still be pulled from a rooted device and reverse engineered using software like IDA pro. It's a lot harder than using DotPeek but its still possible.

It is also important to note the down sides of enabling AOT compilation. Application builds times increase significantly as every assembly referenced by your app needs to be compiled; my experiences indicated that you should expect a 200%-300% increase in build times when AOT is enabled.

Additionally, AOT compilation will increase the final APK size.

matthewrdev
  • 11,930
  • 5
  • 52
  • 64
  • 3
    As we all know AOT compilation was only available for Enterprise license. Now Xamarin is free so is it available in Visual Studio Community? – Ali Bahrami Apr 06 '16 at 04:52
  • 3
    Thanks for highlighting that, AOT is indeed only available for Enterprise licences. Updating answer. – matthewrdev Apr 06 '16 at 04:55
  • According to this: https://developer.xamarin.com/guides/android/deployment%2C_testing%2C_and_metrics/publishing_an_application/part_1_-_preparing_an_application_for_release/#aot the resulting native code is included in the APK along with the uncompiled assemblies. Does this mean that both the compiled and the uncompiled versions are included, and AOT does not really help for obfuscation? – HelloWorld Mar 17 '17 at 09:13
  • @matthewrdev can we use any obfuscator described below and also enable AOT compilation? Would that make it difficult to reverse engineer? – Pooran Oct 27 '17 at 02:51
  • I have no changes in decompiled code with AOT enabled... VS 2019. Any ideas? – Bartek Chyży Aug 15 '19 at 22:47
6

Dotfuscator has support for Xamarin and instructions are online (for Dotfuscator Professional or the free Community Edition) for how to integrate it. In essence, the process is:

  1. Configure the build to run Dotfuscator via an AfterBuild target
  2. Configure Dotfuscator:
    1. Specify the inputs
    2. Exclude things from renaming, as usual / as needed
    3. Only use Mono-compatible transforms (Pro-only)
  3. Configure a Copy task or post-build event to copy the obfuscated binaries back to their original locations
  4. Build, verify obfuscation, and test

Full disclosure: I work for PreEmptive Solutions.

Nathan Arthur
  • 1,132
  • 11
  • 17
  • Update: this is now much easier with Dotfuscator Professional. Simply [copy the appropriate configuration into your `.csproj`](https://www.preemptive.com/dotfuscator/pro/userguide/en/getting_started_protect.html#integrate-xamarin) and build in Release mode - Dotfuscator will do the rest. Dotfuscator Community still [works the old way](https://www.preemptive.com/dotfuscator/ce/docs/help/getting_started_xamarin.html), but it will eventually be updated, too. – Nathan Arthur Jan 15 '19 at 22:48
  • is there still a plan to move the Community Edition over to this new configuration way? – TheBinaryCPA Apr 29 '20 at 17:20
  • Yes; we do still plan to migrate the new way into Community, but I can't commit to a timeframe for it yet. – Nathan Arthur May 01 '20 at 18:07
5

For your first question, it is possible to use some tools for obfuscating your Xamarin code. For example, Crypto Obfuscator, Babel Obfuscator, and Dotfuscator

For your second question, it seems SmartAssembly obfuscation is possible. Check the Windows Phone part here.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Luis Beltran
  • 1,704
  • 12
  • 13
1

There's no way you can fully 100% protect your code from being decompiled and looked into.

You could spend a lot of time hashing all of your methods and variables and then spend another lot of time creating some sort of application interpreter that will understand your obfuscated code, but even that will be looked into, investigated and eventually cracked.

Also see: How can I protect my .NET assemblies from decompilation?

Protect .NET code from reverse engineering?

Community
  • 1
  • 1
peter kover
  • 77
  • 2
  • 10