Categories
Support Corner

Remove Log4J calls with DashO’s Method Call Removal

Remove Log4J calls with DashO’s Method Call Removal
Reading Time: 3 minutes

As we all know Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer facing products and services. The discovery of the recent vulnerability in the Java logging package (CVE-2021-4428) This risk posed a severe threat to millions of consumer products from enterprise software to web applications. It presents risk of loss, or breach of personal information, financial loss and irreversible reputation harm. Currently, the FTC is taking action to require organizations to settle any associated risk caused by the known vulnerabilities. The FTC is now noted as using its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposures. 

A recent example of this negligence came on the back of a complaint in regards to Equifax’s failure to patch a known vulnerability which irreversibly exposed the personal identifiable information of 147 million consumers. This resulted in Equifax paying $700 million to settle the actions taken by the FTC and the consumer financial protection bureau. The risk for businesses is therefore clear, take actionable steps to remediate the vulnerability, or face litigation, breach risk and reputation damage.

In this guide, we will walk you through how you can use Method Call Removal to mitigate this vulnerability.

Method Call Removal

Method Call Removal has been available since our DashO 6.11 release.  It is mostly used for removing logging statements, but it can be used to strip any method calls we’d prefer not to have in our production release.  The only caveat is that the method definition must also be in DashO’s input.

Let’s assume Log4j is used for our application’s logging.  We might want to remove all log statements from production builds, then create special debug builds with logging enabled as needed.  Or, we might want to remove Info, Warn, and Debug messages, but retain Error or Fatal message in our production build.  This can be done using DashO’s Method Call Removal feature, without needing to adjust the Log4j configuration.

Please consider the following example:

This application logs informational messages when the app starts, and when it shuts down.  

The Log4J configuration has been organized into a global logging class:

In our DashO project, I’ll select the “LogInfo” method for method call removal:

Graphical user interface, text, application Description automatically generated

After doing so, the application runs normally, but informational messages are no longer logged to console or written to log file.

After the app has been in production, I may need to create an obfuscated debug build for troubleshooting an issue with a specific client.  If so, I can run DashO without Method Call Removal to preserve logging calls in my debug build.

The above example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Categories
101

Dotfuscator 101

Dotfuscator 101
Reading Time: 4 minutes

In this blog we will dive into Dotfuscator  as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects. 

For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:

What is Dotfuscator for .NET?

Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft. 

How does Dotfuscator work?

PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.

  • First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
  • Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code. 
  • Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming. 
  • Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese! 
  • Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found. 
  • For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich! 

When should you use Dotfuscator?

Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.

Where does Dotfuscator work?

Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.  

Why should you use PreEmptive Dotfuscator?

PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here

For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!

Categories
Press Releases

New Release: PreEmptive DashO 11.2.1

DashO 11.2.1

Reading Time: < 1 minute

Professional-grade Application protection With PreEmptive DashO

You asked, we delivered: Announcing a new minor release for PreEmptive DashO

Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.

In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?

Version 11.2.1 includes:

  • Enhancements
  • Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
  • New option for Properties with filesystem path values that opens a system browse dialog
  • A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
  • Changes
  • The Config Editor now opens the last project on startup by default
  • Bug Fixes
  • Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
  • Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.

Ready to learn more about DashO? Request a quote: Request A Qoute

Categories
101

Top 3 Reasons to Use PreEmptive

Top 3 Reasons to Use PreEmptive
Reading Time: 3 minutes

Cyber attacks are part of our everyday discussions and most likely will continue to be present throughout the next 12-18 months. With the rise in nation state attacks, and consistent expansion of IOT tools developers have to stay focused on the prescience of cyber threats. For those who followed our #DataPrivacyWeek on our social platforms, we explained that our personal lives are very much intertwined with our work lives, with many folks working remotely, we are more likely to be part of those data breaches we read in the news, as a side effect of network security risks. In this article we will dive into the primary reasons your team can benefit from PreEmptive to protect your applications. 

While we were focused on supply chain attacks, ransomware threats, we overlooked another but equally prominent risk – mobile app breaches. There were over 200 BILLION mobile application downloads in 2021 and that number will most likely increase as we progress through 2022. This means, if you’re a programmer developing an app or creating a program that consists of custom code, securing your work is more important than ever. Here are the top 3 reasons why you should use PreEmptive to add a security layer to your applications:

Reason 3: Protecting Your Hard Work

We understand the countless hours that go into coding, whether that was spent on debugging, creating or troubleshooting your code’s infrastructure, it takes hard work. Many developers have projects that have been in the works for lengths at a time and have firm deadlines to meet. So when a project is complete it feels like gold! We tend to concentrate on completing our projects and ensuring that functionality/usability is up to standard. But, security is often an afterthought. PreEmptive In-App security features have been helping programmers prevent, detect, and respond to attacks without breaking or slowing down your applications – giving you a peace of mind throughout development. Sure, we all want to complete our projects on time or earlier than expected, but if we treat our projects like we treat our phones by putting a lock on it, then that finish line will look even sweeter. 

Reason 2: Knowing the Functionality of Your Security

Data breaches are a hot topic, so searching for the right security platform has become even more of a priority. One of the factors when searching for the right security toolset – how does it actually work? PreEmptive has a layered approach when it comes to protecting your data. Think of it as building your perfect sandwich starting with the bread (obfuscation), adding the meat (renaming code), then the veggies – lettuce (string encryption), tomato (control flow) and more, topping it off with the condiments (active runtime checks) that monitors tampering, debugs, and more. Now that you know what’s in the perfect “security sandwich,” it’s imperative that you continue to test and secure after each build. This will allow you to have the confidence in your security application.

Reason 1: Becoming another Data Breach Statistic

Every month there is another data breach that is brought to our attention. Which makes you really think, are you choosing the right security platform? How do you know this platform is the right one? Assessing the needs of your company/organization or projects is the first step, next researching security options. Some promise to be “the leading” security platform or the “number one,” but PreEmptive has been in the biz since 1996. That’s over 20 years of securing your applications! Not only do we have the experience, we have hundreds of fortune 500 companies who use PreEmptive, Charles Schwab, FedEx, Census Bureau, Microsoft to name a few. If these companies trust our software, we guarantee that by using us, you won’t become another data breach victim.

In case you still need more information, we encourage everyone to read our case studies to find out how other companies found success in protecting their companies with PreEmptive. We hope this blog has eased your worries, but if you’re not sold try us with a FREE Trial

Categories
Dotfuscator Support Corner

Protecting Windows Forms Applications with Data Bound GUI Controls

Windows Forms Applications
Reading Time: 3 minutes

Today we will focus on data binding, but first let’s define this. Data binding allows Windows Forms applications to display and update UI controls from a data source, without having to modify source code for the control itself. 

When protecting Windows Forms applications, it is important to note how the data bound controls are constructed to determine if they will be impacted by code obfuscation.  If the controls bind to a collection of objects, original property names of that object must be preserved to correctly populate “DisplayMember” and “ValueMember” properties of the control.  When binding controls to an Enum, the original names of its members must be preserved, or the GUI control might show obfuscated names.  On the other hand, if we’re binding directly to a database table (and the table does not map to an object in source code), we don’t need any custom configurations because Dotfuscator does not mangle table and column names.

Consider the Following Example:

This simple Windows Forms application has three UI controls with different data binding techniques: a DataGridView binds to a Customer table in a database, a ListBox binds to a collection of Employee objects, and ComboBox binds to an Enum called DaysOfWeek:  

If I obfuscate with project defaults, I experience a runtime error at app startup:

This occurs because original property names of the Employee object are used in “DisplayMember” and “ValueMember” ListBox properties:

            listBox1.DataSource = employeeList;

            listBox1.DisplayMember = “Name”;

            listBox1.ValueMember = “Department”;

To Avoid the Runtime Error:

First, I’ll open my project configuration file (DotfuscatorConfig.xml) in the Dotfuscator Config Editor, and set a Rename exclusion for the properties in the Employee object:

After configuring this Rename exclusions, the application starts without the runtime exception, but the “DaysOfWeek” ComboBox appears with obfuscated names:

In order to fix this, I will configure a Rename exclusion for the members of DaysOfWeek.

After providing this Rename exclusion, the app starts without any issues or erroneous behavior.  Please also note the DataGridView, which binds to the Customer table in our database, did not require any Rename configuration to start and display correctly.

Conclusion

There are several different ways to use data binding in Windows Forms applications.  We’ve seen a few ways that data bound controls can be impacted by obfuscation.  If you experienced a runtime crash or erroneous UI behavior after applying obfuscation, please use the above steps to resolve the issue. 

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links

Categories
Risk Management

What Is Reverse Engineering?

Reading Time: 4 minutesReverse engineering is a process of deconstructing, dissecting, and analyzing a hardware device, software program, or system to understand its inner workings, design, vulnerabilities, and functionality. It also represents a dual-edged sword. While it can be a useful tool for developers, in the hands of malicious actors, reverse engineering is used to uncover and exploit vulnerabilities within applications, often leading to security incidents and data breaches.

In this article, we’ll explore reverse engineering and why it’s increasingly crucial for developers and security experts to fortify applications against such intrusive practices.

Legitimate Uses of Reverse Engineering

While the potential for reverse engineering to be leveraged by hackers and attackers is a real and present danger, it’s also a useful tool that, when applied ethically, can dissect complex systems to reveal operational insights, recover invaluable lost code, and strengthen software against cyber threats. However, these beneficial uses also underscore the importance of employing protective measures to ensure that reverse engineering does not become a vector for vulnerabilities.

📌 Uncovering Proprietary Algorithms 

Developers often turn to reverse engineering to unravel proprietary software, allowing a full examination of its algorithms and data structures. This process is especially useful for understanding and enhancing the special functionalities of a software product.

📌 Recovering Lost Source Code

When source code is lost or inaccessible, reverse engineering can be a savior. By decompiling binary code, developers can retrieve a high-level representation of the original source, making it possible to manage and update previously unreachable code. This technique is also a lifeline for reviving legacy systems that have ceased receiving updates, extending their utility by adapting them to work with current technologies.

📌 Security Vulnerability Discovery 

Security experts use reverse engineering to analyze software for vulnerabilities that attackers can exploit. By dismantling software, experts identify weaknesses in the software, such as buffer overflows, insecure communication protocols, and authentication flaws. They then forward these to the development team for fixing and preventing future attacks.

📌 Malware Analysis 

Cybersecurity experts often employ reverse engineering to dissect and understand malware. This enables them to determine how malicious software operates and its potential attack methods, informing the development of effective defenses against future threats. Once experts have understood it, they develop countermeasures to protect their mobile applications against the malware. Ghidra, a reverse engineering software developed by the National Security Agency, is an example of a tool used to dismantle malware and understand its logic.

📌 Competitive Analysis 

Developers use reverse engineering to conduct competitive analysis on their competitor’s products. This helps them understand the strengths and weaknesses of their rival’s products and meet market gaps that competitors are not satisfying. 

Security Risks Associated With Reverse Engineering

While reverse engineering can be an asset in the right hands, it is equally a tool for vulnerability exploitation when wielded by hackers and attackers with ill intentions. The following information describes the various security risks that arise when reverse engineering is misapplied and gives developers plenty of reasons to safeguard their applications diligently.

⚠️ Exposure of Sensitive Code

One of the primary risks of reverse engineering is the potential exposure of sensitive code. Competitors or hackers can dissect an application to uncover proprietary algorithms or data, which may then be replicated or used to undermine the original product’s integrity.

⚠️ Intellectual Property Theft and Software Piracy

Reverse engineering can lead to the theft of intellectual property. By revealing the inner workings of software design and architecture, it can provide a blueprint for unauthorized parties to duplicate and exploit a company’s hard-earned innovations.

One example of this at play is when Apple suspected Samsung of infringing on its patent. Through reverse engineering, Apple proved to a court that Samsung had copied its patents, leading to legal action and a fine.

⚠️ Creation of Unauthorized Derivatives

Through reverse engineering, illicit developers can create unauthorized derivative works. These can range from knock-off products to modified versions of software that bypass revenue models, such as subscription services, causing financial losses and damaging brand reputation.

⚠️ Security Breaches

Perhaps the most alarming risk is that reverse engineering can be used to discover and exploit security vulnerabilities. This can result in unauthorized access to private data, disruption of services, and other harmful activities that negatively affect user trust and experience.

⚠️ Enabling Advanced Persistent Threats (APTs)

Skilled attackers can use reverse engineering to develop APTs, which are prolonged and targeted cyberattacks that can go undetected for extended periods, causing substantial and sustained damage to an organization’s security infrastructure.

Reverse Engineering Techniques and Methodologies 

Reverse engineering is a bit like digital archaeology — digging through layers of code to unearth how a piece of software ticks. As developers, we often need to get into the nitty-gritty of a program, whether it’s to debug, enhance, or secure it. Here’s a rundown of the common techniques and tools.

  • Disassembly —Peeling back the compiled layers to reveal assembly language is a classic move. It’s like translating ancient hieroglyphs into plain English. Tools like Ghidra, Radare2, and IDA Pro are the picks and shovels of this trade, helping to lay bare the logic and flow that drive the application.
  • Decompilation — This involves converting binary code into a higher-level language, such as C or C++. Although similar to disassembly, decompilation is much more complex. It aims to recover the original binary code in a high-level programming language close to the source code.
  • Code Analysis —Static code analysis is like having a diagnostic run without turning the engine on. We use automated tools for this because they’re faster and more accurate. This method is about preempting problems before they become all-nighters.
  • Reverse Debugging — This process allows developers to review the program execution backward in time. It rewinds the program into previous states, making it possible to inspect and preview its history. Often referred to as time travel debugging, this process is essential in diagnosing and fixing complex bugs and understanding the software’s functioning.
  • Pattern Recognition — This involves identifying recurring structures, algorithms, and design patterns in an application. Through systematic data analysis, code and behavior experts can spot patterns from reused code components and data structures. They can then modify, secure, or extend the existing software.

🛡 PreEmptive Protects Your Apps Against Reverse Engineering

Reverse engineering is like anything else — whether it’s “good” or “bad” largely depends on how it’s being applied. There are plenty of legitimate reasons why developers would use it. But it could also be wrongly used by hackers, attackers, or competitors who want access to your source code — and they don’t need it. So don’t leave it unprotected for the taking.

PreEmptive’s code security tools lock your code up tight with obfuscation and encryption so prying eyes can’t get a peek. It’s effective, easy to use, and already trusted by thousands of developers worldwide. Want to check it out for yourself? Start your free trial and see how PreEmptive can protect your apps from reverse engineering.

 

 

 

Categories
Risk Management

What Is Code Encryption?

Reading Time: 4 minutes 

Developers and organizations are today faced with the constant threat of malicious actors stealing their software programs. And that’s not just it; threat actors can today use an application’s source code to either make it unavailable, steal sensitive data, or use it for ransom. That’s why organizations must secure sensitive software components and algorithms. One technique they can use is code encryption. Code encryption refers to transforming an application’s source code into an unreadable format (ciphertext) in a process known as cryptography.

⚖️ Code Encryption Versus Data Encryption 

Because data encryption is one of the most recognized types of encryption, many people often confuse code encryption with it. However, the two refer to different things, even though, in essence, they use the same technique (cryptography) for protecting applications. 

As the name implies, data encryption involves protecting or securing data from attackers. It is the process of changing sensitive data from a format that can be read and understood by humans into one that needs deciphering. 

✅ Code Encryption Benefits

Code encryption prevents malicious actors from stealing software’s intellectual property and using reverse engineering. It’s also important for enhancing data security. 

Software Intellectual Property Protection

In a highly competitive software market, competitors will do anything to get ahead of everyone else. It shouldn’t, therefore, be surprising that these individuals would go as far as stealing an application’s intellectual property, which includes its unique algorithms, innovative ideas, and proprietary features.

With code encryption, developers and organizations can prevent intellectual property theft by scrambling the source code into an unreadable format, thereby safeguarding their competitive edge.

Reverse Engineering Prevention

Reverse engineering involves deciphering how an application works by analyzing its source code. While reverse engineering is considered legal if done with the right intention, it can sometimes be used by malicious actors for the wrong reasons, such as creating duplicates for commercial advantage and finding vulnerabilities to exploit.  

Enhancing Data Security

Even though organizations can enhance data security with data encryption, code encryption can also help, especially if the application they are using contains or handles sensitive data. By encrypting the source code, developers ensure that malicious actors can’t access or tamper with the data these applications process. 

⚙️ Code Encryption Techniques and Methods

There are several techniques developers can use to encrypt source code, such as:

Code Obfuscation

Obfuscation refers to making code hard to understand by changing its executables while maintaining its functionality. This process is especially useful for protecting applications from revere engineering by changing the code’s logic. Developers can use either partial or complete obfuscation to protect applications through several methods:

  • Rename Obfuscation — This technique involves renaming variables, functions, and classes in the code to hide their original purpose.
  • String Encryption — It involves encrypting strings within the code, making it challenging for attackers to identify sensitive information.
  • Control Flow Obfuscation — Developers change how an application executes instructions (control flow) to make it less predictable for hackers trying to reverse engineer.
  • Transforming the Instruction Pattern — This involves changing the arrangement of machine instructions, which makes it difficult to understand how the code operates.
  • Inserting Dummy Code — Without affecting an application’s functionality, developers can add extra snippets of useless code to confuse anyone trying to understand it.
  • Removing Unused Metadata — Since metadata can give clues about the origin of the source code, developers can remove it to make it harder for hackers.
  • Binary Linking/Merging — This technique involves combining binary files or libraries to create a single executable.

Code Tokenization

Instead of leaving source code as is, developers can break it up into smaller units, symbols, or tokens. After tokenization, these tokens are then encrypted individually to ensure hackers don’t decipher them. 

Cryptographic Algorithms

Using cryptographic algorithms for code encryption involves using well-established mathematical procedures and techniques to scramble source code into an unreadable format for both humans and machines. There are several cryptographic algorithms developers can leverage:

  • Symmetric Key Algorithms
  • Asymmetric Key Algorithms
  • Digital Signature Algorithms
  • Hash Functions
  • Public Key Infrastructure (PKI)
  • Key Exchange Algorithms

Examples of What Happens Without Code Encryption

For developers and organizations that are still skeptical about code encryption and its importance, here are some real-life attacks that could have been prevented with source code encryption:

Electronic Arts (EA) Source Code Breach

In 2021, Electronic Arts (EA) fell victim to hackers who stole one of its most popular source codes, Frostbite, that powers games such as FIFA. According to reports, the source code wasn’t the only thing the hackers accessed — they also obtained 780 GB of data. Confirming the reports, an EA spokesman said that while this was true, the hackers did not access player information, which could have resulted in exposing sensitive data for millions of accounts. 

Nvidia Source Code Theft

In February 2022, hackers were able to breach Nvidia, a chip-making company in the U.S., causing several problems. For one, the hackers accessed source code for the company’s Deep Learning Super Sampling (DLSS) technology used in improving the resolution of low-quality images. The hackers went further and leaked the source code online. They also obtained access to Nvidia’s proprietary hash rate limiter for cryptocurrency mining as well as data belonging to company employees. 

📑 Code Encryption Best Practices and Strategies

While code encryption is essential for software security, organizations must approach it in a way that ensures it is foolproof. 

One way to ensure that code encryption is effective is choosing the right code encryption tools. Developers must understand that while one tool might work for a similar application, they should consider their application’s unique requirements by evaluating factors such as the level of security required, performance, compatibility, etc.

It’s also important to understand that code encryption isn’t just a one-time thing. Organizations must keep checking for new vulnerabilities in their source code that hackers can exploit and, therefore, improve their code encryption methods.  

Lastly, code encryption is just one small piece of the bigger software security. To ensure applications are secure, developers must combine code encryption with other forms of security, such as authentication and access controls.   

🔐 How PreEmptive Can Help

Code encryption isn’t a nice-to-have thing for developers and organizations that want to protect their software applications; it’s a must-have. With Dotfuscator, developers can ensure that source code is secure, not just during development but even after launching the application. Dotfuscator utilizes string encryption an effective and reliable method of code encryption — to effectively scramble an application’s source code.

Start your free trial with PreEmptive today and protect your apps against reverse engineering and the data breaches it brings.

 

 

 

Categories
DashO Change Log

DashO Java Obfuscator Change Log V 12.3 Build 0 – Release Date November 29, 2023

Reading Time: < 1 minute

Enhancements

  • Support for compiled bytecode of Java versions up to 20
  • Upgraded DashO Plugin for Gradle and DashO Plugin for Android to support Gradle version 8 and configuration cache
  • DashO Plugin for Android supports flag ‘protectProjectFilesOnly’ to allow obfuscation of jar/classes in project directory only

Fixes

  • Fixed issue when case-insensitive operating systems treated class files with the same names but different letter cases as the same classes

Version compatibility matrix

This release may contain protection enhancements not described here.

 

 

Categories
Risk Management

What Are the iOS Security Vulnerabilities?

Reading Time: 4 minutesiOS is well-known for its robust security framework, but vulnerabilities in the operating system still exist. These are flaws or weaknesses in the iOS operating system that attackers can exploit to gain unauthorized access, leak sensitive data, or compromise device security.

iOS security vulnerabilities can lead to unauthorized access to personal information, financial data, and sensitive communications, compromising user privacy and data integrity. On the device security front, such vulnerabilities may allow attackers to take over devices, install malware, or render systems inoperable.

For example, hackers could post users’ photos online or disclose confidential client information or company financials. In a corporate environment, hackers could use a compromised iOS device as an entry point to the wider network, resulting in operational disruptions, data loss, and costly downtime.

In this article, you’ll discover five common iOS vulnerabilities, how users can protect themselves, and how developers can enhance iOS security.

Five Common iOS Vulnerabilities

Common iOS vulnerabilities span a range of issues. Some more common ones that have been relevant recently include remote code execution, privilege escalation, data breaches, application-specific weaknesses, and man-in-the-middle attacks. Let’s look at these one by one.

1. Remote Code Execution   

Remote code execution in iOS allows attackers to execute malicious code and seize control of devices remotely. An attacker can perform this type of attack without any interaction from the victim, potentially gaining unauthorized access to the system, stealing data, or exploiting the device’s resources for malicious activities.

Hackers perform remote code execution attacks by exploiting vulnerabilities in software or systems, such as unpatched security flaws, to run malicious code. Users can protect themselves by:

  • Updating: Updating software regularly to patch known vulnerabilities closes security gaps and prevents attackers from exploiting outdated systems.
  • Monitoring: Using robust security solutions that include real-time monitoring helps detect and promptly address unusual activity.
  • Browsing: Practicing safe browsing habits helps avoid downloading or clicking on suspicious links that could execute such code. It reduces the risk of inadvertently allowing malicious software onto devices.

2. Privilege Escalation

Privilege escalation vulnerabilities are security weaknesses that allow an attacker to gain elevated access to resources that a lower-level application or user shouldn’t be able to access. It lets the attacker perform unauthorized actions, such as accessing confidential data, changing configuration settings, or taking control of the operating system. The hacker wouldn’t be able to do this with lower-level permissions.

Users can protect themselves by actively updating their systems with the latest security patches and employing security tools that monitor for unauthorized attempts. Additionally, they can give each person or program the fewest permissions they need to get their work done.

3. Data Leakage

Data leakage occurs when sensitive information is accidentally exposed or intentionally stolen from a system, potentially leading to unauthorized access and misuse of personal, financial, or business information. It can happen through various means, such as security breaches, software vulnerabilities, or during data transfer between different systems.

Hackers perform data leakage attacks by exploiting weak security systems, phishing, or installing spyware to siphon off sensitive information. Users can protect themselves by: 

  • Using strong, unique passwords for different accounts
  • Enabling two-factor authentication
  • Being cautious about sharing personal information, especially on public or unsecured networks

4. App Vulnerabilities

App vulnerabilities refer to weaknesses or flaws in a mobile application that cybercriminals can exploit to carry out malicious activities, such as stealing data, injecting malware, or disrupting app functionality. These vulnerabilities can stem from inadequate coding practices, failure to update software, or not properly securing data within the app.

Users can protect themselves from app vulnerabilities by: 

  • Downloading apps only from trusted sources like the official App Store
  • Updating apps to the latest versions regularly
  • Reviewing app permissions to ensure they only have access to necessary information

5. Man-in-the-Middle Attacks

Another common iOS security vulnerability is “man-in-the-middle” attacks. These occur when an attacker intercepts communication between two parties, typically over an unsecured Wi-Fi network, to eavesdrop or alter the transmitted data. They could lead to the interception of sensitive data like login credentials, credit card numbers, and personal information.

To protect against this type of attack, users should use secure and encrypted connections and virtual private networks.

Blastpass: A Real-World Example of iOS Vulnerabilities

The so-called Blastpass vulnerability Apple disclosed in September 2023 underscores the ongoing battle against iOS device security threats. It allowed attackers to exploit devices without user interaction, an alarming prospect for any iOS user.

Blastpass leveraged a zero-click exploit, meaning hackers could trigger it without user engagement, a method that is increasingly common among sophisticated cyber threats. Apple has responded with a security patch to mitigate this vulnerability, as detailed in their updates. 

Statistics on zero-click exploits illustrate their rise — the first nine months of 2022 saw nine zero-click attacks, while the same period in 2023 saw 13. For users, the best defense against such exploits is to install Apple’s latest updates promptly.

Mitigating iOS Security Risks for In-house Developers

In-house corporate developers face many challenges in ensuring the security of their organization’s iOS applications. The following best practices provide a brief roadmap for in-house developers aiming to fortify their organizations against potential iOS security vulnerabilities:

  • Enforce Mobile App Security Protocols: Implement strict mobile app security protocols, including end-to-end encryption and secure authentication methods. These measures help protect sensitive data and prevent unauthorized access to corporate mobile applications.
  • Prevent Data Breaches on iOS: Use data leakage prevention tools that monitor and block the transmission of sensitive information outside the corporate network. Regular security audits and employee training on data handling are also crucial in minimizing risks of data exposure.
  • Regularly Address iOS App Vulnerabilities: Use automated tools to scan for vulnerabilities within apps and apply fixes before attackers can exploit them. 
  • Stay Updated With iOS Security Updates: Prioritize the integration of the latest iOS security updates into the development cycle. This includes testing for compatibility and functionality to ensure that security enhancements are active and do not disrupt business operations.
  • Adhere to iOS Security Best Practices: Use secure coding techniques, regularly review code for potential security issues, and ensure all third-party libraries and software development kits (SDKs) used in the app development are up to date and from reputable sources.

Wrapping Up: Vigilance and Protection in iOS Security

While iOS is known for its security, vulnerabilities persist, posing risks to data and device integrity. To combat these threats, users and developers must be vigilant, adopting best practices and investing in DevSecOps

PreEmptive’s suite of products, including Dotfuscator, DashO, JSDefender — and now Defender for iOS — plays a crucial role in this defense strategy. By providing multiple layers of protection through obfuscation and active runtime checks, PreEmptive helps developers safeguard applications against hacking and tampering, ensuring the security of intellectual property, sensitive data, and revenue.

 

 

 

Categories
Dotfuscator Pro Change Log

Dotfuscator Professional Edition, Version 7.1.0 – Release Date November 13, 2023

Reading Time: < 1 minute

Enhancements

  • Added support for parallel configuration file access
  • Added support for target platform specific configuration file for MAUI
  • Added support for linking .NET Core assemblies
  • Improved performance of Debug Check

Fixes

  • Strong name signature of resigned assemblies can now be verified using common tools (such as dumpbin.exe)
  • Improved root check
  • Improved XAML processing
Categories
Dotfuscator

PreEmptive Dotfuscator Ranks High in G2 Fall 2023 Grid Report

Reading Time: 2 minutesIt’s that time of the year again! G2 recently rolled out their much-anticipated Fall 2023 reports. These quarterly reports examined 16,000+ products across 1,000+ categories to identify the trendsetters, the top performers, the rising stars, and the game-changing shifts in the software arena. We’re excited to say that Dotfuscator App Protection for .NET & Xamarin (and now MAUI) fared extremely well, with 100% of users giving it 4 or 5 stars and most saying they would recommend it.

 

A Closer Look at the G2 Fall 2023 Report

G2 is the premier business software review platform. They rigorously assess and rank software products based on genuine user feedback and evaluations. The reports look at marketplace data to determine the software tools that are making the biggest splash in the market, which are most useful, which ones are people actually using.

In other words, it’s not which company bought a sponsorship and gets to have their software placed at the top of the list alongside the same boring, sanitized marketing copy we’ve all seen a thousand times. It’s about which software the developers in the trenches rely on. Straight forward feedback, no fluff.

 

How Dotfuscator Performed

We like to say that when it comes to the ease of doing business and quality of support, nobody is better than PreEmptive. In fact, in the Relationship Index for Mobile Data Security report, Dotfuscator ranked first ahead of Check Point Mobile Access, Prey, LIAPP, Salesforce Security and Privacy, MVISION Mobile and others.

Dotfuscator also made the upper ranks of the Relationship Index for Data Security report, and it was named as a high-performing product with remarkable customer success in the Report for Data Security

 

Your Security Is Our Success

When you consider that the Grid reports is the voice of real users and not one lone analyst, we’re proud and thankful to our Dotfuscator users who shared their positive experiences reflected in the G2 Fall 2023 Grid Reports.

At PreEmptive, we’re not just committed to upholding the gold standard; we’re driven to raise the bar even higher. If you’re a .NET programmer in need of the best source code security, let us show you what that’s all about. We invite you to witness Dotfuscator for yourself with a free trial.

 

 

Categories
Risk Management Support Corner

.NET MAUI — What It Is and Why It Matters

Reading Time: 4 minutes 

Built by Microsoft, .NET MAUI (Multi-platform App UI) is a unified framework for building cross-platform applications for Windows, Android, macOS, and iOS. Developers use it to write code once and deploy it across multiple platforms, eliminating the need to duplicate their work in separate native development. .NET MAUI serves as the Xamarin.Forms evolution, inheriting its fundamental capabilities while introducing new features and optimizations. This guide will provide a .NET MAUI overview, including its features, benefits, and use cases. 

Key Features of .NET MAUI

.NET MAUI offers a comprehensive suite of features designed to simplify cross-platform development, enhance performance, and provide flexibility. 

✅ Single Project Structure for Multiple Platforms

One of the most significant changes .NET MAUI brings is a single project structure to target multiple platforms. Unlike Xamarin.Forms, where you had to maintain separate projects for Android, iOS, and other platforms, .NET MAUI condenses this into a single project, simplifying project management and reducing the complexity associated with syncing changes across different projects. 

✅  Enhanced Development Flexibility and New Controls

.NET MAUI provides enhanced development flexibility through its wide array of controls and layouts. It includes all the essential controls from Xamarin.Forms while introducing new ones that were previously unavailable or required third-party libraries. .NET MAUI controls like GraphicsView and Shapes allow for advanced graphics rendering, expanding the scope of what developers can achieve. Additionally, .NET MAUI comes with improved customization options, enabling you to create tailored user interfaces with ease.

Native Performance and Support for Platform-Specific APIs

With near-native performance achieved by optimizing the underlying architecture and rendering engine, .NET MAUI delivers faster start-up times, smoother animations, and a more responsive application UI design. It also provides greater access to native APIs, which means you can more easily integrate platform-specific functionality without resorting to cumbersome workarounds. You can now directly tap into native features, such as Bluetooth, camera, or GPS, right from your .NET MAUI code.

Integration of Blazor and Its Benefits

Previously, Blazor was primarily used for building web applications using WebAssembly. Its integration with .NET MAUI allows developers to build hybrid applications that share code and libraries between web and native mobile applications. Blazor integration reduces development time and ensures consistency in behavior and appearance across different platforms. With Blazor, you can write your application logic in C#, eliminating the need to use JavaScript for client-side logic in web portions of your app. 

Why .NET MAUI Matters    

Cross-platform development has gained traction in the software industry due to the proliferation of devices and operating systems. Businesses need to reach users where they are, often spanning multiple platforms like Android, iOS, Windows, and the web. Developing separate applications for each platform requires considerable time, resources, and specialized skills. .NET MAUI’s emphasis on cross-platform development allows developers to write code once and deploy it on multiple platforms, accelerating time-to-market and reducing development costs. 

.NET MAUI comes with a rich set of controls and layouts out-of-the-box, which saves developers from relying on third-party libraries or writing custom controls for basic functionalities. This reduced complexity and overhead allows developers to focus on building features and improving user experience rather than wrestling with project configurations and platform-specific limitations.

Its integration with .NET puts advanced language features and a comprehensive standard library at the tip of your fingers so you can build more performant and scalable applications. Being part of a unified ecosystem means that .NET MAUI can easily integrate with other .NET libraries and services, like ASP.NET for web services or Entity Framework for database operations.

How .NET MAUI Compares

As an evolution of Xamarin.Forms, .NET MAUI offers significant improvements and additional features. Instead of requiring multiple projects for different platforms, making management complex., .NET MAUI has a single project structure to target all platforms.

Xamarin.Forms had some performance limitations, particularly in rendering complex UI elements. .NET MAUI focuses on native-level performance, improving both rendering speed and application responsiveness.

.NET MAUI also adds new controls and increases customization options for existing ones while streamlining access to native functionalities. 

The biggest improvement may be native support for Blazor. Xamarin.Forms lacked native integration, which limited its utility for web-based applications. With Blazor, .NET MAUI enables code sharing between web and mobile platforms.

.NET MAUI also stacks up favorably in comparison to other cross-platform tools, including: 

  • React Native — Unlike React Native, which uses JavaScript and a virtual DOM to facilitate cross-platform development, .NET MAUI relies on C# and XAML for a more native-like experience. MAUI offers better integration with the .NET ecosystem, while React Native has a large community of third-party libraries.
  • Flutter — Flutter uses Dart and provides high performance but requires learning a less commonly used language (Dart). .NET MAUI lets developers stick with C#, which is widely used, and integrates better with existing .NET services.
  • Ionic — Ionic uses web technologies like HTML, CSS, and JavaScript to create mobile apps. While it’s easier for web developers to transition, it lacks the native performance .NET MAUI provides.

Real-World Use Cases

Due to its versatility, .NET MAUI is an ideal choice for a wide range of use cases across industries.  

→ Enterprise Mobility Solutions

Enterprises often require mobile applications that are consistent across multiple platforms for better manageability and user experience. .NET MAUI shines in this scenario by enabling the development of cross-platform apps with a single codebase.

E-Commerce Platforms

E-commerce businesses want to provide a seamless shopping experience across web and mobile platforms. .NET MAUI, with its native-like performance and rich UI controls, can be used to develop sophisticated and user-friendly e-commerce applications. The integration of Blazor enables code and feature sharing between web and mobile platforms, giving users a consistent experience.

IoT Applications

.NET MAUI offers strong native API support, allowing developers to easily integrate with device capabilities like Bluetooth, sensors, and cameras. This makes it a strong candidate for building Internet of Things (IoT) applications where cross-platform consistency and native device features are crucial.

.NET MAUI Application Security With PreEmptive

While .NET MAUI offers developers more versatility and control, application security is still a primary concern. PreEmptive Dotfuscator is the developer’s choice for advanced obfuscation to protect .NET applications, including those built with .NET MAUI, from reverse engineering and the data breaches it leads to.

When developers use .NET MAUI to build their applications, they can integrate PreEmptive’s obfuscation to ensure that source code is hardened against hackers’ attempts to gain unauthorized access. Curious to learn more? Request a free trial and see it in action for yourself.

 

 

Categories
Risk Management

Stopping Phishing for Developers: Techniques and Defenses

Reading Time: 5 minutes 

As Cybersecurity Month 2023 approaches this October, the spotlight is on recognizing and reporting phishing, one of the pivotal themes for this year. With the ever-evolving landscape of phishing attacks, developers find themselves at the forefront of this battle. Gone are the days when a poorly written email with misspellings signaled a phishing attempt. Today’s phishing schemes employ advanced technologies and an in-depth psychological understanding, challenging even the most astute users. In this complex digital era, developers have a unique role to play, wielding their expertise not just in building systems, but also in safeguarding them from these intricate threats.

Phishing Techniques: A Look Into the Tactics Targeting Developers and Their Code

While the standard advice to avoid opening attachments from unknown sources still holds true, hackers can now generate targeted attacks to get around standard security measures. 

→ Machine Learning in Phishing Attacks

Malicious actors have fully embraced the possibilities of AI. Machine learning now drives many phishing attacks. Cybercriminals use algorithms to optimize their attack strategies, from identifying the most vulnerable targets in an organization to tailoring phishing content based on user behavior and preferences. These algorithms can analyze massive datasets of user information, enabling attackers to make highly personalized and convincing attempts.

Spear Phishing

Spear phishing, a targeted form of phishing, now often incorporates data culled from social engineering. Cybercriminals scan social media platforms or corporate websites to gather detailed information about their target, such as job titles, work relationships, and even personal hobbies. Armed with this data, they craft incredibly relevant and trustworthy emails or messages. 

Real-Time Phishing

In real-time phishing, cybercriminals create a fake website that mimics the genuine website almost perfectly. During a parallel session, the user inputs login details into the fake website, and the hacker immediately uses those details to log into the actual website.

The process often happens so swiftly that the user doesn’t even realize they’ve been phished. This method dramatically increases the attack’s effectiveness by bypassing two-factor authentication and other security measures. 

SMS Phishing

The increasing use of mobile devices for work also opens new vectors for phishing attacks. SMS phishing — also called smishing — has seen a surge. Here, attackers sending text messages that direct users to malicious websites or prompt them to disclose sensitive information. 

Deepfake Phishing

Deepfake technology is still evolving, but that hasn’t stopped malicious actors from using it.  Hackers can create highly convincing fake videos or audio messages that appear to come from trusted figures within an organization. These deepfakes can trick employees into transferring funds or revealing confidential information. 

Defensive Coding: Techniques to Make Applications Resistant to Phishing

Although many phishing attacks rely on human error to bypass otherwise effective security measures, there are tactics developers can use to harden applications against attacks. Some code-based phishing defenses for developers include the following: 

  • Validating user input: Always use input validation techniques on both client and server sides. Double-check that all form submissions and URL parameters conform to expected formats. Input validation can filter out malicious code that attackers often use for phishing.
  • Employing content security policies: Implement content security policies to restrict the sources of content that an application can execute. By whitelisting trusted domains and blocking inline scripts, developers can prevent attackers from injecting malicious content into web pages.
  • Using multi-factor authentication: Implement multi-factor authentication (MFA) to add an extra layer of security. MFA makes it harder for phishers — although not impossible —  to gain unauthorized access even if they steal login credentials.
  • Applying role-based access control (RBAC): Assign permissions based on roles within the application. Limit the amount of privileged information each role can access. Doing so minimizes the damage that can occur, even if a phishing attack compromises a user account.
  • Implementing rate limiting: Cap the number of login attempts and password resets from a single IP address within a specific time frame. Rate limiting can thwart brute-force attacks often associated with phishing campaigns.
  • Using time-based restrictions: Add time-based restrictions for high-risk actions like fund transfers or changes to account settings. Require a waiting period or a secondary confirmation, which can deter real-time phishing attempts.
  • Leveraging machine learning: Integrate machine learning algorithms that analyze user behavior and traffic patterns. These algorithms can flag suspicious activity to proactively prevent phishing attacks.
  • Regularly updating and patching software: Keep all libraries, frameworks, and other software current. Security patches often fix vulnerabilities that attackers can exploit for phishing.

Secure Communication: Ensuring Secure and Authenticated Correspondence in Applications

You should also protect data communication to make it more difficult for hackers to steal and manipulate data for phishing attacks.  The following techniques can help developers safeguard user data and app integrity:  

  • Using HTTPS for all transactions: Secure URL practices encrypt all data in transit using HTTPS rather than HTTP. SSL/TLS certificates provide robust encryption and serve as the first defense against man-in-the-middle attacks, which can intercept and manipulate data.
  • Implementing end-to-end encryption: Only the communicating users can read the messages with end-to-end encryption. Even if an attacker intercepts the data packets, they cannot decrypt the information. This is particularly important for messaging apps and in email security protocols.
  • Digitally signing messages: Use digital signatures to verify the integrity of the messages. When a message is digitally signed, any alteration or tampering becomes evident, allowing users to disregard compromised messages.
  • Tokenizing sensitive information: Replace sensitive information with a non-sensitive equivalent, known as a token. Tokenization protects the data as it travels through various networks, reducing the risk associated with data exposure.
  • Securing API communication: For applications relying on APIs for internal or external communications, secure them with strong authentication and rate limiting. Make sure the API calls are also transmitted over HTTPS.
  • Implementing data loss prevention (DLP) measures: Use DLP tools to monitor and control data transfers. These tools can identify sensitive data and prevent unauthorized sharing, reducing the risk of leaks or exposure.
  • Isolating communication channels: Segment your network and isolate communication channels where sensitive data is transmitted. Use firewalls and other security measures to restrict access to these secure channels.

Case Study: A Successful Phishing Attempt and Its Implications for Developers

Twitter was attacked in one of the most high-profile spear phishing cases recently. In 2020, several Twitter staff members’ credentials were hacked and used to gain access to celebrity Twitter accounts, such as Elon Musk and Barack Obama. The hackers tweeted out pleas for Bitcoin and managed to collect $100,000 before they were locked out of the system. This case highlights the importance of recognizing phishing vulnerabilities within an organization. 

Though embarrassing for Twitter, the financial impact pales compared to some successful phishing attacks. Google and Facebook were fleeced out of $100 million over several years. The scammer repeatedly sent fake invoices from Quanta, a vendor both companies used. Since the bogus invoices seemed to originate from a trusted vendor, they were paid by the tech giants. 

🗝 Key Takeaways

As Cybersecurity Month 2023 emphasizes the crucial role of recognizing and reporting phishing, we developers emerge as unsung heroes, innovating tirelessly behind the scenes. While phishing attacks often target human vulnerabilities, we have the tools and skills to enhance our defenses, making it challenging for malicious actors to obtain data for targeted attacks or to mimic authentic websites. In this age of evolving threats, always remember: we developers are not just creators; we’re the frontline defense against phishing.

Curious about how PreEmptive empowers developers to stay ahead in cybersecurity? Check out our code security solutions.

 

 

 

Categories
Dotfuscator Support Corner

Support Corner: Protecting .NET MAUI Applications

Reading Time: 2 minutesPreEmptive has a long-standing history of working with clients building Xamarin apps. With the introduction of Multi-platform App UI (MAUI), set to replace Xamarin as the go-to solution for creating versatile apps across platforms using .NET, Dotfuscator has been adeptly updated to offer support to MAUI, alongside its existing support to Xamarin.

The Challenge: Security in MAUI Apps

MAUI apps install managed assembly files on the end user’s machine or device. Take an MSIX installer, for example; it will place .dll files into the Program Files directory (C:\Program Files\WindowsApp). These files are susceptible to decompiling and reverse engineering using tools like ILSpy, posing a significant risk if your app contains trade secrets or manages sensitive data: 

The Solution: Dotfuscator Integration

This is a problem if your app contains trade secrets or handles sensitive data. The good news is this is very easy to remediate by installing and then integrating Dotfuscator directly into your application’s project file (.csproj, .vbproj): 

This will trigger Dotfuscator to run before any packaging or deployment steps of a Release build, ensuring that your binaries are secure before they are deployed:

With Xamarin, the protection process involved integrating Dotfuscator into separate Visual Studio projects for Android, iOS, and UWP. MAUI simplifies this by allowing a single Visual Studio project to build apps for Windows, Android, iOS, and Mac. This means integrating Dotfuscator just once protects your app across all these platforms.

After this basic integration, your MAUI app will be safeguarded from reverse engineering, allowing for the secure deployment of protected binaries to Android, iOS, Mac, and Windows:

Shield .NET MAUI Applications With PreEmptive

The introduction of .NET MAUI presents exciting possibilities and highlights the need for enhanced security. Dotfuscator provides a robust solution, protecting against reverse engineering and the vulnerabilities of decompiling. It supports the diversified application environment enabled by MAUI and simplifies the integration process, enabling developers to easily secure applications across different platforms with just a single integration.

If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please contact our Support Department.

 

 

Categories
Dotfuscator Pro Change Log

Dotfuscator Professional Edition, Version 7.0.0 – Release Date October 03, 2023

Reading Time: < 1 minute

Enhancements

Note: Do not forget to update the Dotfuscator version number in the MSBuild Targets path for your existing projects. Read more about upgrading from Dotfuscator 6 to Dotfuscator 7 here