Obfuscation in .NET: how is it done how secure is it?

Question

I brought up a point about obfuscation in another question to which someone replied "obfuscation doesn't stop much".

Rather than start a debate in comments on there, I wanted serious community answers as to how safe my code is when obfuscated with X, Y or Z obfuscator, and if any obfuscation tools truly get the job done.

I'm also interested in any explanation given to garner some basic understanding of how an obfuscator works.

From my understanding, obfuscation cannot prevent reflection and detecting methods etc. but it makes the code within the methods less readable by skewering variable names. Is that wrong? What else does it do?

Answer 1

Here is an article that i wrote published in the ISSA Journal on “Assessing and Managing Security Risks Unique to Java and .NET” - this is a PDF file but it covers obfuscation and a number of related techniques. More importantly, it covers the process of mitigating these risks and some suggestions on how to align all of the above with the materiality of those risks to your specific circumstances.

Answer 2

Don't worry about it — it's as safe as it needs to be.

Answer 3

If someone is dedicated enough to get your program they will, no amount of obfuscation is going to change that. I think Joel Coehoorn's answer to Securing a .NET Application sums things up nicely:

You can't fully secure your app. Thankfully, you don't really want to. In my experience, you need to secure your app just enough that someone can't accidentally pirate your product, and no more.

Wikipedia has a decent section on Obfuscation, specifically they go through a manual obfuscation to give you an idea of what steps occur:

Rewrite for as while. Use special values.

Change iteration into recursion

Obfuscate constructs and meaningless variable names

Remove intermediate variables and literals

Obfuscate names again

Remove literals

Remove redundant text

Answer 4

There are ways of doing this sort of thing - for example, have you ever tried running Reflector on itself?

At the end of the day, if you have commercial software, people are going to pay for it to get a supported version whether they can see the source code or not - that's how many open source projects make their money. Obfuscation is basically what it says - it makes the code harder to understand, but doesn't actually hide it. Whether it's worthwhile or not is something you have to judge on a case-by-case basis.

If you're selling software to corporate customers, my view is it isn't worth the bother. If you're selling to retail customers and really want to hide the code, then perhaps .NET isn't the answer.

Answer 5

Obfuscation can never be truly secure since it's always possible to look at the MSIL. Even with a good obfuscator people could reproduce most of your code simply from the MSIL and since you have no choice but to compile to MSIL there really is nothing you can do.