Protect your assemblies using obfuscation

There are plenty of tools out there that can decompile compiled assemblies and retrieve the original source code. These decompilers are a threat to your intellectual property, making it imperative that you protect your assemblies.

This potential threat of loss of your intellectual property can be mitigated, though. Ofuscating your assemblies protects them from being decompiled easily.

What is obfuscation anyway?

When developing applications, you must consider the potential security vulnerabilities and adopt proper measures to mitigate them. If you need to distribute your software to end users for use on their desktops or laptops, you should protect your code.

Obfuscating your assemblies makes them hard to decompile while preserving the application’s functionality. There are additional benefits to obfuscation as well, including:

1. Reduction in the size of the executable
2. Improved application performance
3. Protection of intellectual property

How does obfuscation work?

Programs written in languages like C# and targeted at the managed environment of .Net emit an intermediate compiled code (MSIL) when compiled. This MSIL code preserves a lot of metadata that includes the high-level information about the assembly. This also means that the assemblies can be decompiled with ease, as it’s this metadata that’s used to do the decompilation and retrieve the original source code.

Obfuscation removes unnecessary information from the assembly metadata. It renames the methods and classes in your source code, and it encrypts the strings, code, and resources that your program uses. The meaningful names in the assembly metadata — the classes, methods, properties, events, fields, and objects — are scrambled and replaced by non-meaningful names.

It also inserts some unnecessary control statements (constructs and logical statements) and some junk methods, and it adopts certain practices so that the assemblies that have been obfuscated are hard to decompile. Furthermore, obfuscation follows certain practices that make your assemblies impossible to debug when the application is in execution. These encryption techniques and the practices that are adopted make your assemblies extremely hard to be understood by the decompilers available.

It should be noted that obfuscation is applied to compiled code (i.e., MSIL) and not your source code. Your source code is never altered. An assembly that is obfuscated will be executed by the CLR, same as any other traditional assembly.

Does obfuscation guarantee absolute protection?

The simple and honest answer is no. Obfuscators cannot guarantee that your code is 100 percent safe — no available tools can do that. Obfuscators can help you to protect your intellectual property to the maximum extent possible, but if you have a good knowledge of data structures and algorithms, you can decipher the original source code from obfuscated assemblies. There are many other strategies that you also should adopt to protect your intellectual property, which I’ll explore more in future posts.

What are the Obfuscators available?

There are many obfuscators around, but most of them are commercial. Wikipedia has a good list of the popular obfuscators available for .Net.

The Dotfuscator obfuscation tool ships with Visual Studio and is simple to use. There’s also JustCompile by Telerik, and Redgate software provides an obfuscator called SmartAssembly. I’ve used SmartAssembly, and I did like it. You can download a trial version of this tool from Redgate’s website.

There are a few free or open source obfuscators as well, including Obfuscar.