Obfuscation in .NET vs. Delphi

Question

I have old Delphi application. This app takes session key from server, do some stuff with secret using this key like hashing etc. and post back cipher to the server. Server knows how to retrieve data from this cipher. So simply it's security through obscurity.

I would like to rewrite this application using C# and then use obfuscation software to hide the process of creating secret data.

Will C# obfuscated app be more or less "secure" than not obfuscated, but binary, Delphi app? Will it be still harder to crack Delphi code?

Note: I am perfectly aware, that security through obscurity is not really secure.

Answer 1

"Will C# obfuscated app be more or less "secure" than not obfuscated, but binary, Delphi app? Will it be still harder to crack Delphi code?"

I don't think it's possible to answer your questions without knowledge of your threat model. Who wants to attack the app? What level of sophistication do they have? What do they want to achieve with their attack?

The .NET framework class libraries have some strong security features, and there's also the SecureString class. So that might improve your security.

FWIW, I would prefer to attack managed code rather than native code. But with sufficient motivation, I would be happy to attack either.

Answer 2

Since IL is a lot simpler than assembly, I would say that it is easier to reverse engineer a .NET assembly (obfuscation or not) than a real binary. Additionally, as the .NET compilers leave most of the optimization to the JIT compiler, IL is pretty straight forward compared to a compiled binary.