Wednesday, January 28, 2009

Obfuscating Silverlight

One thing that people that develop .NET applications know is that users can use tools to decompile the app and get to your source code. This is good and bad. The good is that it is easy to look at source that people use and see how they do things. The bad is that people can look around at your source and steal what you do or even unlock functionality or sell it as theirs.

There are alot of .NET obfuscators and .NET protectors out there to buy. Most do a good job to at least obfuscate the code and at best totally stops the decompiling. When Silverlight came out people were concerned that their dlls would get downloaded and people could just see the code just like with any other .NET assembly. With Silverlight 2, things compile into a dll that gets put into a .XAP file, which is just a zip file. I even have a plugin for .NET Reflector that can look at a Silverlight URL and let you look at the source. If it is this easy to get the source how can developers protect themselves?

I have a protection system that I use for my .NET applications and wanted to see if it would work for a Silverlight 2 application. I ran it using the normal settings that I use for .NET apps and it just throws exceptions for Silverlight. Then I played with all of the options and finally got it to work. It is not as secure as I would like but it works. If you want details on what I use and the settings, please contact me.

I went and searched to see if any other systems out there support Silverlight 2. I found 2 systems out there that say they support Silverlight and 1 that says that it supports .XAP files directly. I mean they are just zip files, why should that be too hard to support. The first one is DeepSea Obfuscator. It says that it supports .XAP and Silverlight 2. The second that I found is SmartAssembly Professtion Edition. I have not used these since mine is working for me, but they are advertising that they support Silverlight and will obfuscate or protect it. Good luck with protecting your Silverlight applications. Let me know if you have success with either of these tools.

8 comments:

Neville said...

What obfuscation tool are you using? And what are the secret settings?

I've started to try Obfuscar (Google Code project), but it requires public APIs to be manually listed for non-obfuscation. I haven't gotten the XAML to work yet, but I haven't been at it long.

Obfuscator Professional claims support for Silverlight, but I haven't sprung for a copy. The community edition definitely does not support Silverlight.

Anonymous said...

can you get your secret settings and the free obfuscator you are using. can i, can i, can i?

Neville said...

After using Obfuscar 1.32 a while, I'm pretty satisfied. It's more convenient than I initially thought. Obfuscar 1.4 was released yesterday, but I haven't tried it yet.

pooran said...

Found http://code.google.com/p/babelobfuscator/ as the cheap and best one!

Raf said...

Hello,
I'm also desperately searching an obfuscator (without spending thousands of dollars) for my Silverlight site.
Steve, can you please tell us what obfuscator with the corresponding parameters you are using?
Thank you very much.

LogicNP said...

Crypto Obfuscator (http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm) supports obfuscation of Silverlight 2.0 as well as
Silverlight 3.0 assemblies.

Anonymous said...

.NET Reactor (http://www.eziriz.com/dotnet_reactor.htm) is simply the cheapest and best one for Silverlight 2.0/3.0 assemblies.

bungo said...

Use CliSecure (www.secureteam.net), cheap obfuscation solution for silverlight and others.