Obfuscating Xamarin Applications

This article will demonstrate applying obfuscation to your Xamarin android and Windows Phone apps.

Although Xamarin enables development for all three major mobile platform in C# and .Net, the build process of Xamarin apps on iOS, Android and Windows Phone is very different. We will see this from window of obfuscation and security to make app code and sensitive information within app protected and less vulnerable to hacking efforts. Let’s visit each platform one by one.

iOS
The iOS does not allow JIT (just in time) compiling. Instead all C# code goes through the AOT (ahead of time) compiler. The end result is, all the IL code from your assemblies is being converted into native ARM (v6, v7 and so on) instructions. This way the IL is not required anymore. So when you're building for Release|iPhone configuration, the IL code will be removed from your assemblies. And since it is not present, there is no need to obfuscate. Off course one can still reverse engineer AOTed code but it is fairly hard compare to any .net assembly which compiles to IL.  Note that .NET assemblies will still be inside the IPA package because the metadata is still required by System.Reflection. So if you view those assemblies in any good .Net reflector, you will see symbol names and resources files.

Android
In Xamarin Android, C# is compiled to IL and packaged with MonoVM + JIT’ing. The generated APK for Release configuration contains mono runtime along with your android application assemblies. . For obfuscation purpose, we will make use of Crpyto Obfuscator as it is popular among Xamarin applications and .NET. You can get the trial of it at:
http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

Once it is installed, you will see that it has nice interface to add assembly or add XAP files for obfuscation. You can even incorporate the Crypto obfuscation process right in Visual Studio using Visual Studio Project Integration Wizard. This will obfuscate when you do build for your project.


Figure 1.0 Crypto Obfuscator user interface

We will use DotPeek from JetBrains to decompile the assembly for Windows Phone and Android projects. Download the tool and install. Now let’s create sample Xamarin Android application project, compile it and open the compiled assembly in DotPeek. You will see something as per Figure 1.1.


Figure 1.1 Decompiled AndroidApplication2.dll

Now, let’s obfuscate our application using Crypto Obfuscator. For this, I chose to go through Visual Studio Project Integration Wizard and choose Release Any CPU for obfuscation target. Once I save the project in Crypto Obfuscator, it adds entry in AndroidApplication2.csproj and adds custom build step that obfuscates the code while building. Once you successfully integrate Crypto Obfuscator, when you build for Release Any CPU, the Visual Studio Output window will show you that Crypto Obfuscator is at its job!


Figure 1.2 Crypto Obfuscator message in Visual Studio Output window

Now quickly grab the AndroidApplication2.dll from Release folder and again open it in DotPeek. You will see that GUID generated names are used for the fields as well some fake code is added as per Figure 1.3.


Figure 1.3 Decompiled AndroidApplication2.dll with obfuscation

Windows Phone
Xamarin for Windows phone compiles C# to IL and executed under built in runtime and thus does not require any xamarin tools. The application gets packaged in to XAP file which is standard zip file and you can view the contents using any zip viewer. open  PhoneApp1.dll in dotPeek.


Figure 1.4 Decompiled PhoneApp1.dll

As you see, the decompiled code is pretty simple to understand and manipulate. Let’s add some obfuscation bit to it. I chose to try SmartAssembly from RedGate as I usually found their products are of good quality. You can use Crypto Obfuscator as well but as I was exploring different tools, I chose SmartAssembly. SmartAssembly has a nice interface to configure various aspect of obfuscation and optimization as shown in Figure 1.5


Figure 1.5 SmartAssembly user interface

You can select an assembly to obfuscate. With the obfuscation applied, the same decompiled dll looks like Figure 1.6.


Figure 1.6 Obfuscated PhoneApp1.dll

Off course, dotPeek is great decompiler and I have used pretty much default and very light obfuscation settings, you will see that few part of code is still readable and few part is obfuscated with fake code making use of label and goto statements.

SQLCipher
What if your app deals with sensitive data and stores it on device in the form of embedded database such as SQLite? SQLCipher provides strong security for mobile and embedded database using AES-256. I am leaving it up to you to give it a try from the following link below.

http://components.xamarin.com/view/sqlcipher-for-xamarin/

Note that it supports Xamarin android and iOS applications.

Tools used in this article
Since I mentioned a few tools, here is the summary of all the tools used in this article.

DotPeek from Jetbrains
http://www.jetbrains.com/decompiler/

Crypto Obfuscator
http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

Smart Assembly
http://www.red-gate.com/products/dotnet-development/smartassembly/

By jay nanavati   Popularity  (13152 Views)