This blog on securing your source code is from Premier Developer consultant Bill Reiss.
I saw a question recently about how to protect code in a Xamarin app package. I feel the first question is whether you need to, and not how to do it. The reality is that you can never completely protect your app code, and if someone wants your code bad enough they can use decompilers and hard work to get it, even if you obfuscate. The only way to completely protect it is to put any code that is critically important to your business, your “secret sauce”, on a secure server and access it via APIs.
The first question is whether your code is really worth protecting. I have seen many developers and corporations put a higher value on their application code than is warranted. Yes, it may have been expensive to develop and serves some business purpose, but if there are no proprietary algorithms or business rules then it’s not really something a competitor could use to gain an advantage from stealing. If you are obfuscating to protect your APIs then the effort should be put into securing these properly.
If you do have something special in your app, you should really consider if there are ways to move it to the server. If this is impossible or impractical then yes obfuscation is an option. Along with this you should also consider ahead of time (AOT) compilation on Android which will make it harder to decompile your app. This is turned on by default for your iOS apps, since Apple requires that .NET code be compiled to native when an app is published to the App Store.
There are free tools for obfuscation so why not just do it, what’s the harm? First of all, it can hamper crash reporting. Your crash reports will have the obfuscated method names in the call stack for the crash report, and determining where the crash actually occurred requires you to map the obfuscated method names back to the actual method name. Secondly if you are using Xamarin Forms and MVVM, any properties that you are data binding must be excluded from obfuscation since data binding uses reflection and these will fail if obfuscated. The extra effort required from your development and maintenance teams should be taken into consideration when deciding whether or not to obfuscate your application.
In conclusion, before you decide to obfuscate your Xamarin code, consider the following:
- Is your code valuable enough to protect?
- Can you move the “secret sauce” to the server?
- Are you willing to accept the initial cost of obfuscation and ongoing maintenance costs?