Reconciling GooglePlay’s security recommendations with Xamarin deployment
Published on February 25, 2016 by Sebastian Holst
An app control that both Microsoft and Google can get behind? What about Xamarin?
First – Congratulations Xamarin (and Microsoft) – as someone who has used Xamarin personally and worked with the people professionally, I see this as a win-win-win (for Xamarin, Microsoft, and, last but not least, developers!).
To the topic at hand… One might argue that the phrase “GooglePlay security recommendations” is a contradiction in terms or even oxymoronic – but I take a different view. If (EVEN) Google recommends a security practice to protect your apps – then it must REALLY be a basic requirement – one that should not be ignored.
I’m talking about basic obfuscation to prevent reverse engineering and tampering.
Here’s an excerpt from Android’s developer documentation
“To ensure the security of your application, particularly for a paid application that uses licensing and/or custom constraints and protections, it’s very important to obfuscate your application code.” …and they go on to write “The use of ProGuard or a similar program to obfuscate your code is strongly recommended for all applications that use Google Play Licensing.” (I did NOT add the emphasis)
For those unfamiliar with ProGuard – it’s a free/open source obfuscator – quite a good one really for the money 😉 – but seriously – it’s kind of an analog to Dotfuscator Community Edition included with Visual Studio (also for free). The point being that both Google and Microsoft have long recognized that basic controls to prevent reverse engineering need to be ubiquitously available to every developer (no one is suggesting all apps be obfuscated).
…but what about Xamarin apps targeting Android or iOS? …not so much. ProGuard cannot obfuscate Xamarin apps – nor can any of the other native Java/Android obfuscators (including PreEmptive’s own DashO). …But (good news) Dotfuscator Professional can. …But (bad news) it’s not free. Still, if you’re serious about this topic, you’d probably want something other than the “free version” on either platform. Here’s a link to a PreEmptive blog post on how to protect your Xamarin apps with Dotfuscator (both iOS and Android): Xamarin Applications and Dotfuscator.
Question: Given the Microsoft Xamarin acquisition, should we (PreEmptive/Microsoft) consider extending Dotfuscator CE (the free one) to provide comparable protection to Android and iOS apps generated by Xamarin as we do for .NET apps today (and since 2003)?
Let me know your thoughts – I really do want to hear from Xamarin developers (and the app owners that employ them :).