Silverlight Security – Part One – Code Obfuscation

dotfuscator

dotfuscator

smartassembly

smartassembly

DeepSea Obfuscator

DeepSea Obfuscator

Silverlight is a client side technology which uses the Siverlight framework on the users machine.  This helps give the user the rich user interface experience normally associated with desktop application.

However, unlike ASP.NET , where application code behind is executed on the server (code behind), silverlight code must be downloaded to the client machine.  The xap file which is downloaded is basically just a zip file containing code assemblies (dll’s) and manifest files.  You can simply change the extension of an xap file to .zip and extract the files.

Your assemblies can now be read using utilities like .Net Reflector .  This enable programmers to view your code, variable names, string values, connection strings, and username/password combinations.

Never store connection strings or username/password combinations in your silverlight code.

Never directly connect to your domain database from your silverlight code, always use a web service (or ria services), more about this in part two.

Obfuscation is NOT enough on its own to deter a sufficiently motivated competitor.  You do not want modified versions of your application wreaking havoc on the world wide web.

Consider keeping commercially valuable code on your server and allowing your silverlight application to call a web service to perform the necessary routines and provide the results.

If you are accessing sensative, confidential, or commercially valuable data in your web service then use SSL encryption.

You can decide for yourself what level of obfuscation you want and can afford.  For single developers and small software companies the cost of these obfuscators may be  significant. Although some offer basic versions free of charge, if you are serious about protecting your code, your applications and your data, then you are going to require one of the paid versions and an SSL certificate.

Visual Studio already includes the free community edition of Dotfuscator from preemtive solutions.  Although this really only does basic renaming of variables, and you will probably want either the Pro version or the single developer version.

Other solutions include DeapSea Obfuscator from TallApplications and SmartAssembly from Cachupa.

Some of the obfuscation suppliers have websites that have more in common with obfuscation rather than informing the user about product features, pricing and comparisons between their different versions, so you will need to dig through their websites diligently to get all the information you want.

Where are the guides to Security Best Practices in Silverlight?

Silverlight

Silverlight

When I first started writing web application for .NET, I found a great article on security which told me how to create forms authentication and protect myself from sql injection attacks by using stored procedures and parameters.

Today, with Silverlight, we have some additional challenges.  The Silverlight code is now on the clients machine.  How do we protect access to webforms, passwords, or protect our database control string and stop users from reading or stealing our client code?

Most examples out there today are designed as sales pitches, everything is so easy when error handling and security is completely ignored.

I would love to write an article for you that gave you step by step best practices, but like many of you I am still at the start of this exciting journey, so this is a plea to those who are designing these technologies and evangelising their use. 

WE NEED STEP BY STEP EXAMPLES SHOWING SECURITY BEST PRACTICES FOR SILVERLIGHT.

We need examples that can be used by small development teams (1 to 5 people) who are being told by their management (who have just watched or been to one of the flashy launch events) do me a website like MGM Stargate or NBC sports or Continental Airlines, that will handle customer orders in a way that will blow Amazon away.

Resources which I had in 2002 when I started with .Net were:

Defend Your Code with Top Ten Security Tips Every Developer Must Know by Michael Howard and Keith Brown

http://msdn.microsoft.com/en-us/library/aa302370.aspx by Timothy Bollefer, Girish Chander, Jesper Johansson, Mike Kass, and Erik Olsen.

 

A more recent whitepaper for silverlight 2 security is available here

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7cef15a8-8ae6-48eb-9621-ee35c2547773

but it is by no means a step by step guide of all of the thing you need to do to make your applications secure.

So come on Scott Hansleman, Tim Heuer, Phil Haack, Scott Guthrie, Beth Massie, The Silvelight Developer Team, The Visual Basic Developer Team, you have been challenged to provide step by step articles and videos or point us to appropriate references.  The articles should be based around Silverlight 3 and technologies which are current today. And, of course, be available in both VB and C#.