There are many tools to obfuscate.NET applications.The free ones do some basic obfuscation while commercial ones seem topromise more.My question is: Is it worth to use the commercial obfuscation tools? Do they provide some security? I know everything is crackable if someone wants it badly. But I am talking about some 'average' attackers. So is it worth to invest money in commercial obfuscators?If someone is interested what I want to protect: program logic and/or keys (I know keys should not be stored in app but I am limited in where I can store it anyway due to context)Note: Some users are mentioning that sometimes obfuscator may introduce bugs in working program. This is clearly bad.
Page 10- de4dot - Deobfuscator for.NET Community Tools. Today I bring all this de4dot, who works for the latest versions of CryptoObfuscator, PhoenixProtector and NetReactor, I hope you like it, if they have a problem tell me in the comments and I'll try solve.
If someone can cover his/her experience about this kind of behaviour would also be useful. Is this behaviour different w.r.t to commercial vs free obfuscators? The problem with client sided Obfuscation/Protection is that the attacker will always win.Your code runs on his PC so he can intercept and manipulate everything in the end.In the specific case of.NET it might make sense to apply basic obfuscation to remove function names for example but free tools are perfectly fine for that.To answer your question a bit more specific:Most commercial obfuscators do the same things that free ones do as well.I'd go for Confuser/ConfuserEx, both are open source and provide better protection than most commercial stuff. Let's be clear: Obfuscation is not there to be a form of security that is subject to scrutiny.
It will fall down as soon as someone actually tries to get around the obfuscation and just makes things harder on the attacker.The purpose of obfuscation is to dissuade potential attackers from getting into the system without a large amount of effort, which may prevent them from considering attacking your system.You should consider whether or not that is of value to you. If it is, by all means implement obfuscation, but don't use it as your sole layer of security. Is obfuscation worth it? Yes, of course it is worth it.
Any extra layer which does not interfere with another layer is always worth it. It will deter the average person and keep the majority of people, or would be script kiddies, at bay.ButCommercial tools I would say are not, as anything to advanced could actually hinder your development, using some bespoke software I have tried ended up taking alot of time to ensure the code worked correctly while in this new form as it was essentially base64 encoded and encrypted.remember this when coming to security: if your software or product is worth 1million make it cost 1million and 1 to crack it, you can never make something safe enough. Obfuscating will never make it safe, but it does not hurt to use free tools.Obfuscation is obviously not high level security but I would never put out code without obfuscation as it can hide important information (important information that this can protect is obvious naming conventions giving away purposes of functions and how your application works, this is just a simple deterrent not a solution). It is always worth it.Though paying for a tool? Maybe not worth it.
Im sorry @MarkHulkalo but you clearly misunderstood so before you make comments I would appreciate you double read? Or ask before declaring me wrong?
I clearly said its not some kind of high level security, clearly, though firstly if it was pointless this question would not even exist nor would companies be making 1000s redoing this. The point is it adds a small layer of annoyance. Have you ever deobfucated code? Most tools change the class, function and variable names as well as encode it to make it more of a challenge to get the point of the code. I have multiple of times.–Dec 2 '15 at 13:25.
![.net .net](/uploads/1/2/5/5/125580740/580281414.png)
It is NOT about protect its about making it cost more time and keeping the BASIC user or crap script kiddies (who count as pretty much a basic user half the time) AWAY! I can put a do not enter sign on a door, but its the lock that stops you going in.
But most of the public wont even try the door. Obfucation is the sign on the door. There is no reason not to have it. Which is my over all point, I even pointed out its not worth the money paying for a tool. If it was worth money it would be worth security. Though making me explain more I have marked your comment as useful to me. Thank you–Dec 2 '15 at 13:28.
@silverpenguin your answer is somewhat misleading. First of all, the question focused on whether the commercial obfuscation tools offered significant advantage compared to the free tools, and your Yes, of course is not backed up by the rest of your answer. More importantly, I would never put out code without obfuscation as it can hide important information — it doesn't work like that, you cannot rely on the obfuscation hiding important information.
So while it costs almost nothing to have it and probably provides some help, do not make it sound like it really protects any information.–Dec 2 '15 at 15:17. Obfuscation!= SecurityIf your writing web services or some other code that runs on your secured servers, there is no need to obfuscate.If your deploying client side code, you may wish to obfuscate to make it harder for someone to reverse engineer your code so they can't steal it or take credit for it.It's very easy to decompile.Net code using ILDASM or some other tool. So, companies may obfuscate to make it harder for someone to look under the covers to gain knowledge on the system or even exploit it. But's it's still workable code that can be put into a development environment, debugged, and examined locally.I once had a boss who was paranoid about other corporations stealing the company's source code intellectual property, so he mandated obfuscation be employed.
One thing with obfuscators is there are some coding practices that will produce bugs after the code is obfuscated, so just be aware of that.Is it worth it? Depends on your point of view. It was important for my boss. For the development team, it was just another cog in the build process which occasionally caused some unexpected bugs, so we didn't see much value in it. It certainly didn't provide any more security.One thing I'll mention as well, for support and troubleshooting, obfuscated code is harder to diagnose. The logs that the system will produce will be obfuscated as well, so you need a map to take the obfuscated logs and transform them back to the original source control names etc.
So, just looking at the logs is not feasible, extra steps are required. @user200312 - If your log outputs a stack trace, it will be the stack of the obfuscated code, which will be impossible to follow. Typically when an exception occurs, one would output the stack trace to aid in troubleshooting and debugging. One would have to take that obfuscated stack trace and DE obfuscate so you can find the real class, real method, and actual line number where the exception occurred. Usually when the obfuscation is done it will produce a map file so you can go back to the original names.–Dec 2 '15 at 18:39. If you want protection against assembly tampering, or access to source code, then a commercial or even free obfuscator will greatly benefit you, just before you use one, look around to see if there's a deobfuscator out there, that will help you assess the Obfuscator 'security'. If it's a commercial one, always look for a trial to test it with your app, I had some obfuscators mess up with the executable, mainly because of the 'spaghetti code' they produce and proxies and all that.
And if you plan to access the assembly from code at runtime, I don't think it's going to work well for you. But still, considering it is easy to extract intact source code from a.NET executable, obfuscators are a really helpful way to make it harder for attackers to gain access to source code.Just remember, never put sensitive data on a program no matter how hidden you made it! Always store sensitive data such as DB Info, Encryption/Decryption keys server-side! From my perspective, it's not worth it.
If they really want to see how it works, they will. Sure, you may stop the 'innocent' sniffing around, but anyone with motive and means will win out. As someone else pointed out, obfuscation has its own development concerns (another layer of complexity/error reporting atop your current SDLC). With shifts to SoA, anything that's proprietary/trade secret should be moved internally anyways. The more logic you can keep under your own control (on your servers away from the client) the more assurance you have it won't be copied/stolen. Spend more time investing in your next release and less on protecting what's already done. You don't keep customers by protecting current IP from copy-cats, you keep them by being evolutionary.
From another standpoint, look at open source projects; they readily distribute their source code and still maintain traction and industry recognition/adoption.It's up to you, but just my $0.02. I agree that as far as security goes, java obfucation is more like a latch than a lock; it won't stop a determined attacker but can discourage amateurs.It also depends upon the obfuscator. It is certainly possible to rewrite code such that it can't be decompiled into clear Java, by using instruction/bytecode patterns that have no Java equivalent.
Babel Obfuscator Q: I have obfuscated my application but I still see type names in.NET Reflector. Licensing Q: Is your license on a per-developer basis?A: Yes for Standard,Professional and Enterprise licenses. Each developer must obtain alicense. With this license, the developer can install on a primarymachine and a portable/laptop. With Company license there are no limitto the number of developers/machine inside your Company where you candistribute the product.Q: Do I have to pay you royalties?A: No. Babelfor.NET does not charge any royalties for redistribution of components obfuscated with Babel Obfuscator.Q: Can I install the product on the build server?A: Yes. You can install theproduct in your local build server and use your license.
Build servers hosted on the cloud like DevOps and AppVeyor CI require the purchase of a Company license.Q: Can I install the product on 2 machines (I'm running a desktop in the office, have a laptop at home)?A: Yes.Q: Can I continue to use Babel Obfuscator if the subscription expires and I choose not to renew?A: Yes. You can continue touse Babel Obfuscator which you have licensed and paid for as long asyou require. When a subscription expires, it simply means that you willno longer be issued any product updates or new product releases.An expired subscription can be renewed at any time. Feel free to contact our client servicesfor more information on renewals and product costs once yoursubscription expires.Q: I have purchased the Standard/Professional license.
Can I upgrade to Enterprise or Company edition?A: Yes. You can upgrade your existing license by paying the differencebetween the price of the license you own and the price of the newlicense. In this case the product maintenance period will not bechanged.Q: Do you offer discounts on any of your licenses?A: Yes. Discounts are available when purchasing multiple single user licenses. Please write to to ask for favorable terms in case of multiple license purchases.