How to obfuscate a xamarin App on VS 2019

Question

I need to protect the business logic on app and this is created with xamarin forms. I have searching information on forums and here about Babel and ConfuserEx but I don’t get it works.

Case Babel

I have installed demo SDK and I have updated the path on environment variables. On Android Project I have added the following lines as I have seen on samples and book “Xamarin Mobile Development for Android Cookbook”

<UsingTask TaskName="Babel" AssemblyName="Babel.Build, Version=9.3.3.0, Culture=neutral, PublicKeyToken=138d17b5bd621ab7" />
  <Target Name="BeforeBuild">
  </Target>
  <Target Name="AfterBuild">
    <Babel InputFile="$(TargetPath)" OutputFile="$(TargetPath)" 
           VerboseLevel="5" 
           ObfuscateTypes="true" 
           ObfuscateEvents="true" 
           ObfuscateMethods="true" 
           ObfuscateProperties="true" 
           ObfuscateFields="true" 
           VirtualFunctions="true" 
           FlattenNamespaces="false" 
           UnicodeNormalization="false" 
           SuppressIldasm="true" 
           StringEncryption="xor" 
           ResourceEncryption="false" 
           ValueEncryption="false" 
           DynamicProxy="false" 
           ControlFlowObfuscation="goto=on" 
           ILIterations="5" />
    </Target>

The compilation is good, but I see dll with ILSpy tool and I can see flow, methods, variables, etc…

Case ConfuserEx

I have installed the VS Extension of ConfuserEx and I have tried to actívate it on common Project and it is obfuscated but When I archive in order to generate the apk, it isn’t obfuscated. I have tried to do on Android Project instead common Project, but it don’t work. Could you give me some advice in order to obfuscate app? I want to do it with Android, iOS and UWP app. Because by default, uwp, droid and ios is easy to do reversing engineering, no?

Answer 1

I've been using Babel with my Xamarin.Android apps for the last 3 years. It works extremely well. If you are having problems contact Alberto at Babel. He provides really great support. Most problems are because of the fact that the Xamarin's build process can vary from release to release and therefore you Babel task can require modifications to accommodate those changes

Answer 2

Because by default, uwp, droid and ios is easy to do reversing engineering, no?

Assuming that this is the question, the answer is that you are mostly wrong.

AOT compiled assemblies are not easy to reverse engineer, and AOT is mandatory for UWP and iOS, while on Android partial AOT is enabled now by the default and full AOT can be enabled too on the VS Enterprise.

Speaking of that there is nothing that can't be reverse engineered and you can still add the obfuscation on the top of AOT compilation to make it even more tough, just there is no built-in solution (and as far as I know no free solution either) so it is yours to pick the one that you like, such recommendations are not allowed here.