Silverlight Security – Part One – Code Obfuscation





DeepSea Obfuscator

DeepSea Obfuscator

Silverlight is a client side technology which uses the Siverlight framework on the users machine.  This helps give the user the rich user interface experience normally associated with desktop application.

However, unlike ASP.NET , where application code behind is executed on the server (code behind), silverlight code must be downloaded to the client machine.  The xap file which is downloaded is basically just a zip file containing code assemblies (dll’s) and manifest files.  You can simply change the extension of an xap file to .zip and extract the files.

Your assemblies can now be read using utilities like .Net Reflector .  This enable programmers to view your code, variable names, string values, connection strings, and username/password combinations.

Never store connection strings or username/password combinations in your silverlight code.

Never directly connect to your domain database from your silverlight code, always use a web service (or ria services), more about this in part two.

Obfuscation is NOT enough on its own to deter a sufficiently motivated competitor.  You do not want modified versions of your application wreaking havoc on the world wide web.

Consider keeping commercially valuable code on your server and allowing your silverlight application to call a web service to perform the necessary routines and provide the results.

If you are accessing sensative, confidential, or commercially valuable data in your web service then use SSL encryption.

You can decide for yourself what level of obfuscation you want and can afford.  For single developers and small software companies the cost of these obfuscators may be  significant. Although some offer basic versions free of charge, if you are serious about protecting your code, your applications and your data, then you are going to require one of the paid versions and an SSL certificate.

Visual Studio already includes the free community edition of Dotfuscator from preemtive solutions.  Although this really only does basic renaming of variables, and you will probably want either the Pro version or the single developer version.

Other solutions include DeapSea Obfuscator from TallApplications and SmartAssembly from Cachupa.

Some of the obfuscation suppliers have websites that have more in common with obfuscation rather than informing the user about product features, pricing and comparisons between their different versions, so you will need to dig through their websites diligently to get all the information you want.