Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links

Categories
Dotfuscator CE Change Log

Dotfuscator Community 6.3.0 – Release Date May 2021

Reading Time: 2 minutes

Change Log – – Version 6.3.0 – Release Date May 2021

Important Compatibility Changes

This is a new major version of Dotfuscator Community.

  • Dotfuscator no longer supports injecting PreEmptive Analytics runtime telemetry.
    Checks are still supported, and you can use custom code triggered via application notification to report security incidents to an analytics platform of your choosing.
  • Dotfuscator no longer supports assemblies built for Silverlight, Windows Phone, or WinRT (e.g. Windows 8 apps).
  • Dotfuscator no longer supports .appx files as input packages.
  • Dotfuscator no longer supports the Unity game engine.
  • Dotfuscator no longer has its own proxy settings.
    Please use the system proxy settings instead.
  • Dotfuscator’s Check Attributes are now distributed separately from Dotfuscator.
    They are available in the PreEmptive.Protection.Checks.Attributes NuGet package on nuget.org.
Categories
iOSDefender Change Log

iOSDefender Change Log V1.1 Build 0 Beta – Release Date May 17, 2021

Reading Time: < 1 minute

Change Log – Version 1.1.0 Beta – Release Date May 17, 2021

Enhancements

This release may contain protection enhancements not described here.

  • Created an evaluation version of iOSDefender SDK.
  • Updated the EULA.
Categories
Dotfuscator Pro Change Log

Dotfuscator Professional Edition, Version 6.4.0 – Release Date May 11, 2021

Reading Time: < 1 minute

Enhancements

Functional Changes

  • When using Automatic Input Management, such as with the recommended Protect Your App instructions, the Config Editor’s View menu will no longer allow access to report files if there could be multiple reports that vary by build configuration and platform. To access the full set of reports, check the DotfuscatorReports directory.
  • In cases where Dotfuscator downloads ILDasm and ILAsm tools via NuGet, you can now specify the NuGet feed, username, and password via environment variables. This should only be necessary if you do not have access to the public nuget.org feed.
  • When using an internet proxy requiring authentication, you can now specify the username and password via environment variables for Dotfuscator to use for licensing communications. For details, see Internet Connection Requirement.

Fixes

  • Fixed issues related to renaming obfuscation.
  • Fixed an issue where strong name re-signing doesn’t support spaces in the path to the key file.
  • Fixed an issue where Automatic Input Management would fail if a solution contains a non-filesystem path to a project. For instance, when an “Existing Website” is added to a solution, the solution can contain a web address. In these scenarios, Dotfuscator now warns and continues.
  • Fixed an issue where Dotfuscator errors when protecting an assembly whose name contains netstandard.
  • Fixed an issue where Dotfuscator errors when processing an assembly which has type forwards to nested types.
  • Fixed an issue where the Output tab in the Config Editor would not indicate types which were removed by Dotfuscator.
  • Fixed other minor issues.
Categories
DashO Change Log

DashO Java Obfuscator Change Log V11.2 Build 0 – Release Date May 11, 2021

Reading Time: 2 minutes

Change Log – Version 11.2.0 – Release Date May 11, 2021

Enhancements

This release may contain protection enhancements not described here.

  • Entry Points, Inclusions, and Exclusions can now use supertype and/or annotation based criteria.
  • Entry Points, Inclusions, and Exclusions can now match classes based on the existence of methods or fields that match the criteria.
  • Compiled bytecode from Java 16 (except the record type and the Sealed Classes preview feature) can now be processed.
  • Global Processing Excludes now allows for classes to never be updated by DashO.
  • Updated the New Project Wizard to include settings for generating Entry Point rules based on annotation based criteria, including a special set of entry points for Hibernate/JPA.
  • Improved the Android Project Wizard to support both ways the Android plugin can be applied.
  • Improved the "Method too large" errors to display the original name of methods when renaming has been performed. Methods from multiple classes will be displayed when necessary.
  • Updated the samples.

Changes

  • Added a warning for ambiguous Renaming Exclude class rules (will be changed to an error in a later release).
  • The Make Synthetic option now includes classes.
  • Updated to use ASM version 9.1.
  • Updated to include AdoptOpenJDK JRE version 11.0.11 in the installers.
  • Updated the End User License Agreement to match https://www.preemptive.com/eula.

Fixes

  • Fixed an issue where a class configured as an entrypoint could get renamed in rare circumstances.
  • Fixed an issue where the Config Editor showed unsupported settings on the Removal-Classes page.
  • Fixed an issue where the Config Editor could add a duplicate entry when dragging a class on the Removal-Classes page.
  • Fixed an issue where the x button on save dialog windows would proceed without saving instead of cancelling.
  • Fixed an issue where DashO would overflow a jump's boundaries in some cases.
  • Fixed an issue where the Browse dialog for selecting the Web project output folder would not allow selecting existing directories.
  • Fixed an issue where the Check Injection Locations list included native methods.
  • Fixed an issue where the splash screen would not scale properly on Windows.
  • Fixed an issue where deleting the last Method Call Removal rule would not save to the project file.
Categories
JSDefender Change Log

JSDefender Change Log V2.4 Build 0 – Release Date May 6, 2021

Reading Time: < 1 minute

Change Log – Version 2.4.0 – Release Date May 6, 2021

Features

  • jsdefender-core: JSDefender has a couple of changes that make it harder to reverse-engineer.
  • jsdefender-core: ControlFlowTransform allows injecting fake test conditions with the injectFakeCode configuration option.
Categories
iOSDefender Change Log

iOSDefender Change Log V1.0 Build 0 – Release Date March 29, 2021

Reading Time: < 1 minute

Change Log – Version 1.0.0 – Release Date March 29, 2021

Initial release of iOSDefender SDK!

Enhancements

This release may contain protection enhancements not described here.

Categories
DashO Change Log

DashO Java Obfuscator Change Log V11.1 Build 2 – Release Date March 29, 2021

Categories
Support Corner

Protecting .NET Applications that Use Excel Interop

Reading Time: 2 minutes

Microsoft Office primary interop assemblies give us the ability to create and modify Excel Spreadsheets from a .NET application.  Office applications like Excel are written in unmanaged code.  The primary interop assembly provides wrappers to call unmanaged COM objects from our managed .NET application. 

By default, when you reference an Office primary interop assembly, the interop types are embedded into your application to avoid having to deploy extra assemblies.  When applying protection, we must preserve some of these embedded types and methods to maintain COM interoperability.

Please consider the following example.  This simple C# application uses Excel Interop to create a spreadsheet and populate cells:

When applying for full protection with Dotfuscator, I experience a TypeLoadException at runtime:

To avoid this error, I will configure a rename exclusion for the embedded interop types.  All the embedded Interop types are in the Microsoft.Office.Interop.Excel namespace.  The specific types I need to preserve are interfaces, most of which contain placeholder methods of the form “_VtblGapX_XX” that also must be preserved.

Based on these patterns, I can leverage custom rules to simplify the Renaming configuration.  From my DotfuscatorConfig.xml:

After configuring this rule, the protected output runs properly, and my spreadsheet is created.

The above pattern is general enough to work if the Office primary interop assembly is used for creating any type of Office document: Excel spreadsheet, PowerPoint presentation, Word document, etc.

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Categories
Mobile Application Protection

17 Online Accounts to Follow on Software Development

Reading Time: 3 minutes

We asked our top Software Engineers what they’re reading and listening to lately to stay up to date on software development. Here are their recommendations on top accounts to follow:

YouTube

  1. Fireship
    These high-intensity code tutorials can help you build and ship your apps faster. This channel has new videos every week that cover intermediate to advanced lessons about JavaScript, Flutter, Firebase, and modern app development. You can even get project support, advanced full courses, and more at www.fireship.io.
  2. Google Developers
    The Google Developers channel features talks from events, educational series, best practices and tips, and the latest updates across Google products, platforms, and services including Android, Firebase, TensorFlow, Flutter, Google Assistant, and more.

Blogs

  1. Eric Elliott on Medium
    Read all things JavaScript in Eric Elliott’s JavaScript Scene and The Challenge to make sure you’re up to date on the latest JavaScript news, frameworks, tricks and techniques, software management, and more.
  2. CSharp Digest
    This newsletter is great for busy techs who want the news delivered right to their inbox. You’ll receive weekly updates, interesting stories, and more in the .NET and C# space.
  3. Scott Hanselman Blog
    As a prominent web developer for the Web Platform Team at Microsoft, Scott Hanselman has been blogging for the past decade on his personal web development experience. Topics range from technology, culture, gadgets, diversity, code, the web, and more. He also has three podcasts, a YouTube channel, and a Twitter account, which you can subscribe to as well.
  4. Microsoft Developer Blogs
    Just like it sounds, these series of blogs have the inside scoop on the latest information, insights, announcements, and news from Microsoft, specifically written about Visual Studio, Xamarin, Azure, .NET, and various other development languages. There’s also an option to pull the RSS feed so you can have the news and announcements delivered to you.
  5. Hackaday
    Get lost in mountains of fresh, playful hacks on the Hackaday blog written by developers all around the Internet where new ideas and information are exchanged daily. The term “hacking” tends to have a negative connotation to the public, but Hackaday embraces the act as an art that is highly creative, technical, and clever. When used for good intent, it can positively promote the exchange of new ideas and information. So, if you have any projects you’re proud of and want to show them off, you can document your work on their hosting site, hackaday.io.
  6. Adafruit
    With Adafruit blog, you’ll get the latest trends, news, and resources on open-source hardware, electronics, gadgets, kits, and more to help you get the machine build of your dreams.

Twitch TV

  1. Bald Bearded Builder
    This year, PreEmptive sponsored this channel and PreEmptive’s JSDefender was implemented in various live coding projects. For software development and clever banter, tune in. With nearly 20 years of experience designing and developing software, Michael Jolley (aka the Bald Bearded Builder) loves sharing his knowledge with others and watching them excel. While still building custom applications for clients today, Jolley spends considerable time pouring into others via his live-coding sessions on Twitch and talks at conferences and meet-ups.

Twitter

  1. The Hacker News (@TheHackerNews)
    This widely read account has daily news and technical coverage on cybersecurity, information security, and hacking to make sure you’re one step ahead of trending malicious attacks.
  2. Mobile Security (@mobilesecurity_)
    Are you a mobile app developer? This is a must-follow account. Stay informed on mobile security trends, specifically with Android and iOS platforms, and how you better adapt to safeguard your applications.
  3. David Heinemeier Hansson (@DHH)
    If you haven’t heard of David Heinemeier Hansson, you should. As the creator of Ruby on Rails and co-founder and CTO at Basecamp, Hansson is a must-follow leader in the technology space. With a slew of perspectives and opinions, his tweets offer great insight on software development for developers who want to grow professionally.
  4. Kelly Sommers (@kellabyte)
    Given away by the name of her Twitter handle, Kelly Sommers has a witty personality. She’s also a highly influential developer with over 43K followers to date with an impressive background as a four-times Windows Azure MVP and former two times DataStax MVP for Apache. You’ll get a combination of playful and insightful development tweets.
  5. Sara Ownbey Chipps (@sarajchipps)
    As a developer at Stack Overflow, Sara Ownbey Chipps is a prominent influential developer in the space. While some of her tweets feature development news and personal opinions, she also engages in a mix of current events she feels worthy of a mention.
  6. Nick Quaranto (@qrush)
    Nick Quaranto is the developer you’ll instantly feel like a friend. Quaranto has a more laid-back feed where he talks about development news, in addition to worldwide events he feels deeply passionate about.
  7. Eric Lippert (@ericlippert)
    Eric Lippert designs programming languages at Facebook and is a former C# language design team member at Microsoft. Over the years in his professional career, he’s learned a lot about programming language design and likes to share those said learnings with the development community on Twitter by fielding thousands of questions about C#, JavaScript, and other programming languages. He also has a blog worth checking out.
  8. Jared Parson (@jaredpar)
    Meet the creator of VsVim, Jared Parson. Parson is also a C# compiler team developer lead at Microsoft working on a language and operating system incubation project. Give him a follow and he won’t disappoint.