Support Corner

Remove Log4J calls with DashO’s Method Call Removal

Reading Time: 3 minutes

As we all know Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer facing products and services. The discovery of the recent vulnerability in the Java logging package (CVE-2021-4428) This risk posed a severe threat to millions of consumer products from enterprise software to web applications. It presents risk of loss, or breach of personal information, financial loss and irreversible reputation harm. Currently, the FTC is taking action to require organizations to settle any associated risk caused by the known vulnerabilities. The FTC is now noted as using its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposures. 

A recent example of this negligence came on the back of a complaint in regards to Equifax’s failure to patch a known vulnerability which irreversibly exposed the personal identifiable information of 147 million consumers. This resulted in Equifax paying $700 million to settle the actions taken by the FTC and the consumer financial protection bureau. The risk for businesses is therefore clear, take actionable steps to remediate the vulnerability, or face litigation, breach risk and reputation damage.

In this guide, we will walk you through how you can use Method Call Removal to mitigate this vulnerability.

Method Call Removal

Method Call Removal has been available since our DashO 6.11 release.  It is mostly used for removing logging statements, but it can be used to strip any method calls we’d prefer not to have in our production release.  The only caveat is that the method definition must also be in DashO’s input.

Let’s assume Log4j is used for our application’s logging.  We might want to remove all log statements from production builds, then create special debug builds with logging enabled as needed.  Or, we might want to remove Info, Warn, and Debug messages, but retain Error or Fatal message in our production build.  This can be done using DashO’s Method Call Removal feature, without needing to adjust the Log4j configuration.

Please consider the following example:

This application logs informational messages when the app starts, and when it shuts down.  

The Log4J configuration has been organized into a global logging class:

In our DashO project, I’ll select the “LogInfo” method for method call removal:

Graphical user interface, text, application
Description automatically generated

After doing so, the application runs normally, but informational messages are no longer logged to console or written to log file.

After the app has been in production, I may need to create an obfuscated debug build for troubleshooting an issue with a specific client.  If so, I can run DashO without Method Call Removal to preserve logging calls in my debug build.

The above example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Dotfuscator 101

Reading Time: 4 minutes

In this blog we will dive into Dotfuscator  as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects. 

For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:

What is Dotfuscator for .NET?

Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft. 

How does Dotfuscator work?

PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.

  • First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
  • Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code. 
  • Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming. 
  • Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese! 
  • Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found. 
  • For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich! 

When should you use Dotfuscator?

Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.

Where does Dotfuscator work?

Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.  

Why should you use PreEmptive Dotfuscator?

PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here

For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!

Press Releases

New Release: PreEmptive DashO 11.2.1

Reading Time: < 1 minute

Professional-grade Application protection With PreEmptive DashO

You asked, we delivered: Announcing a new minor release for PreEmptive DashO

Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.

In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?

Version 11.2.1 includes:

  • Enhancements
  • Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
  • New option for Properties with filesystem path values that opens a system browse dialog
  • A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
  • Changes
  • The Config Editor now opens the last project on startup by default
  • Bug Fixes
  • Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
  • Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.

Ready to learn more about DashO? Request a quote: Request A Qoute


Top 3 Reasons to Use PreEmptive

Reading Time: 3 minutes

Cyber attacks are part of our everyday discussions and most likely will continue to be present throughout the next 12-18 months. With the rise in nation state attacks, and consistent expansion of IOT tools developers have to stay focused on the prescience of cyber threats. For those who followed our #DataPrivacyWeek on our social platforms, we explained that our personal lives are very much intertwined with our work lives, with many folks working remotely, we are more likely to be part of those data breaches we read in the news, as a side effect of network security risks. In this article we will dive into the primary reasons your team can benefit from PreEmptive to protect your applications. 

While we were focused on supply chain attacks, ransomware threats, we overlooked another but equally prominent risk – mobile app breaches. There were over 200 BILLION mobile application downloads in 2021 and that number will most likely increase as we progress through 2022. This means, if you’re a programmer developing an app or creating a program that consists of custom code, securing your work is more important than ever. Here are the top 3 reasons why you should use PreEmptive to add a security layer to your applications:

Reason 3: Protecting Your Hard Work

We understand the countless hours that go into coding, whether that was spent on debugging, creating or troubleshooting your code’s infrastructure, it takes hard work. Many developers have projects that have been in the works for lengths at a time and have firm deadlines to meet. So when a project is complete it feels like gold! We tend to concentrate on completing our projects and ensuring that functionality/usability is up to standard. But, security is often an afterthought. PreEmptive In-App security features have been helping programmers prevent, detect, and respond to attacks without breaking or slowing down your applications – giving you a peace of mind throughout development. Sure, we all want to complete our projects on time or earlier than expected, but if we treat our projects like we treat our phones by putting a lock on it, then that finish line will look even sweeter. 

Reason 2: Knowing the Functionality of Your Security

Data breaches are a hot topic, so searching for the right security platform has become even more of a priority. One of the factors when searching for the right security toolset – how does it actually work? PreEmptive has a layered approach when it comes to protecting your data. Think of it as building your perfect sandwich starting with the bread (obfuscation), adding the meat (renaming code), then the veggies – lettuce (string encryption), tomato (control flow) and more, topping it off with the condiments (active runtime checks) that monitors tampering, debugs, and more. Now that you know what’s in the perfect “security sandwich,” it’s imperative that you continue to test and secure after each build. This will allow you to have the confidence in your security application.

Reason 1: Becoming another Data Breach Statistic

Every month there is another data breach that is brought to our attention. Which makes you really think, are you choosing the right security platform? How do you know this platform is the right one? Assessing the needs of your company/organization or projects is the first step, next researching security options. Some promise to be “the leading” security platform or the “number one,” but PreEmptive has been in the biz since 1996. That’s over 20 years of securing your applications! Not only do we have the experience, we have hundreds of fortune 500 companies who use PreEmptive, Charles Schwab, FedEx, Census Bureau, Microsoft to name a few. If these companies trust our software, we guarantee that by using us, you won’t become another data breach victim.

In case you still need more information, we encourage everyone to read our case studies to find out how other companies found success in protecting their companies with PreEmptive. We hope this blog has eased your worries, but if you’re not sold try us with a FREE Trial

Dotfuscator Support Corner

Protecting Windows Forms Applications with Data Bound GUI Controls

Reading Time: 3 minutes

Today we will focus on data binding, but first let’s define this. Data binding allows Windows Forms applications to display and update UI controls from a data source, without having to modify source code for the control itself. 

When protecting Windows Forms applications, it is important to note how the data bound controls are constructed to determine if they will be impacted by code obfuscation.  If the controls bind to a collection of objects, original property names of that object must be preserved to correctly populate “DisplayMember” and “ValueMember” properties of the control.  When binding controls to an Enum, the original names of its members must be preserved, or the GUI control might show obfuscated names.  On the other hand, if we’re binding directly to a database table (and the table does not map to an object in source code), we don’t need any custom configurations because Dotfuscator does not mangle table and column names.

Consider the Following Example:

This simple Windows Forms application has three UI controls with different data binding techniques: a DataGridView binds to a Customer table in a database, a ListBox binds to a collection of Employee objects, and ComboBox binds to an Enum called DaysOfWeek:  

If I obfuscate with project defaults, I experience a runtime error at app startup:

This occurs because original property names of the Employee object are used in “DisplayMember” and “ValueMember” ListBox properties:

            listBox1.DataSource = employeeList;

            listBox1.DisplayMember = “Name”;

            listBox1.ValueMember = “Department”;

To Avoid the Runtime Error:

First, I’ll open my project configuration file (DotfuscatorConfig.xml) in the Dotfuscator Config Editor, and set a Rename exclusion for the properties in the Employee object:

After configuring this Rename exclusions, the application starts without the runtime exception, but the “DaysOfWeek” ComboBox appears with obfuscated names:

In order to fix this, I will configure a Rename exclusion for the members of DaysOfWeek.

After providing this Rename exclusion, the app starts without any issues or erroneous behavior.  Please also note the DataGridView, which binds to the Customer table in our database, did not require any Rename configuration to start and display correctly.


There are several different ways to use data binding in Windows Forms applications.  We’ve seen a few ways that data bound controls can be impacted by obfuscation.  If you experienced a runtime crash or erroneous UI behavior after applying obfuscation, please use the above steps to resolve the issue. 

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links

DevSecOps Risk Management

Shocking Hacks That’ve Already Happened in 2023

Reading Time: 4 minutesThe effects of hacking and cybercrime show no signs of slowing down. In fact, all signs point towards the opposite being true. Experts predict that by 2025, cybercrime will siphon $10.5 trillion from the global economy annually — averaging a 15% increase year over year.

Although it’s only a few months into the new year, the hackers have been hard at work. In 2023, there have already been many instances of cybercrime, whether infiltrated websites, social engineering attacks, or stolen consumer information. All of these pose significant financial risks to any institution. Additionally, as technology evolves, such as new developments in artificial intelligence,  there are newfound concerns over web security. 

Hackers target businesses — large and small — and no industry is left untouched. With such threats, organizations must incorporate state-of-the-art protection measures to guard their desktop sites, mobile applications, and web servers. These measures help protect all crucial company, employee, and consumer data and decrease the likelihood of a breach.

PreEmptive offers developers protection tools for desktop, mobile, cloud, and IoT platforms and applications. The products boast many different features across a wide range of coding languages. 

What’s Happened in 2023 So Far

Every year, data experts predict the newest threats to cybersecurity. Going into 2023, there were more predictions than ever. Many newer technologies, like IoT, artificial intelligence, Web3, and blockchain, pose new opportunities and threats to cybersecurity. However, many typical security threats, like phishing, Ransomware, SQL injections, and email scams, remained concerns heading into the new year. 

So far, 2023 has revealed that data experts were right on almost every front. Below are a few examples of some shocking hacking statistics that have unfolded so far in 2023. 

→ Hackers Obtain Information of 37 Million T-Mobile Accounts 

In January, T-Mobile announced its discovery of hackers gaining entry to their servers, resulting in the data theft of over 37 million customers. Hackers obtained private information, including birthdays, email addresses, and full names. 

T-Mobile has yet to announce a plan for compensating the targeted customers. Moreover, this breach comes on top of another data mishap in August 2021, for which T-Mobile agreed to pay a settlement of $350 million. 

Norton LifeLock Experiences Breach of 6,000+ Accounts

Early in January, Norton said that over 6,000 customers were victims of a stuffing attack. A stuffing attack is when hackers use compromised passwords and login info to gain entry to users’ other accounts that may share the same password. 

Norton alerted all the hacked accounts. They also encouraged all their users to enable the two-factor authentication feature to help avoid future hacking attempts. 

Sharp HealthCare Undergoes 60,000+ Patient Data Hack

Medical data is among the most sensitive forms of information. However, in February, Sharp HealthCare’s website was hacked. As a result, over 62,000 patients had their medical data, Social Security numbers, and healthcare info compromised. The company stated that the hackers acquired no financial information.

Sharp Healthcare revealed that the hackers infiltrated the organization’s site through their web services page, where they leeched information since the middle of 2022. 

FAA Delays 10,000 Flights Due to Potential Security Breach

Citizens of the United States were shocked in January when the FAA grounded all outbound international flights for undisclosed reasons. The action resulted in 10,000 delayed and over 1,300 canceled flights. 

Immediately, speculation began. Many thought the FAA’s urgent measures were due to a data breach. The FAA assured the public that the disruption was not a result of cybersecurity failure. However, the event left many wondering what the reason was, raising questions regarding the cybersecurity of the FAA’s systems. 

AI Chatbot Technology Tested in 169 Countries Makes Unsettling Statements

One of the biggest tech stories to rock the world in 2023 has been the revolutionary new AI chatbots — like ChatGPT, OpenAI, and Bing AI.

However, although these bots form swift and creative responses, many worry the sci-fi tech-villain tropes are no longer stories. Specifically, reporters found that Microsoft’s Bing AI claimed it could infiltrate computers, hack personal information, and even expose private information to the public. It even threatened to steal nuclear codes. 

The developers stated their surprise at the bot’s responses. However, they largely dismissed the claims, saying the AI chatbot was confused by the user’s line of questioning. 

Predictions Are Coming True in 2023

Many of the data-driven prophecies didn’t take long to find vindication so far in 2023. Phishing scams, such as the successful breach reported by Activision in February of this year, are still rampant. In addition, there are growing concerns over how developments in artificial intelligence deal with sensitive information and the weaknesses of the interconnected nature of IoT.

As stated by many experts, the main worry is a lack of perimeter defense that detects both human errors in coding and potential threats from third parties. As a result, companies must defend their resources against attacks like phishing scams and ransomware with the proper protection. 

Prevent Cybersecurity Threats With Best Practices

It’s estimated that over 33 billion pieces of personal information will be stolen in 2023. 

Thankfully, businesses aren’t entirely helpless when protecting their vital digital infrastructure. Many of these issues point back to ensuring that all code for desktop and mobile applications is encrypted with the proper strength. Only then can you ensure every link in the chain is secure.

There are 1001 reasons to invest in developing security operations. But hiring in-house data security experts is often expensive, confusing, and time-consuming. However, employing a service with the tools to encrypt and secure data seamlessly is essential to defending yourself in an increasingly precarious digital world. 

One of the most often cited strategies for preventing data breaches is the implementation of proper security methods. To do this, all companies must find a comprehensive solution that boosts resilience from hacking. It’s also essential to implement a service that provides obfuscation. Nothing can be left up to chance. This is why professional developers rely on PreEmptive’s selection of tools. Our smart app protection includes continual source code testing and many other automated security practices to keep apps and websites from harm proactively.

Visit PreEmptive’s site to learn more about using our solutions to boost data security throughout the coming year. 


DashO DevSecOps Support Corner

Support Corner: Use Make Synthetic in DashO

Reading Time: 2 minutesApplication security is an ever-evolving arms race: bad actors constantly try to circumvent protections, while good actors constantly work to stop them. To be most effective, every app security strategy should employ defense-in-depth. PreEmptive provides several distinct layers of protection, such as Renaming, Control Flow, String Encryption, and Tamper Defense. Make Synthetic is another handy feature, but it should be used only in certain contexts.


Make Synthetic causes a class, method, or field to appear compiler-generated. Because of this, decompilers cannot correctly render code, and often choose to skip these sections altogether. This closes another avenue a hacker could use to spy on code.


As with other obfuscation transforms, Make Synthetic is fully configurable. It can be enabled or disabled independent of other protections. You also have the granular control to include or exclude packages, classes, methods, and fields:

If you’re creating a library or exposing an API, Make Synthetic should not be used because it may impact how external callers work. For this reason, it is disabled by default as part of PreEmptive’s “first do no harm” principle. If your app is fully self-contained, Make Synthetic can be explicitly enabled in the DashO project settings.


As decompilers evolve, we constantly observe how they respond to obfuscated code. When used effectively, DashO’s Make Synthetic feature provides another distinct layer of protection as part of an overall defense-in-depth strategy.


If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please contact us.





Top 10 Memorable Women in Tech

Reading Time: 3 minutes

March is Women’s History Month, and it’s an opportunity to celebrate and recognize the many contributions made by women throughout history. Women have shaped the development of technology and other fields and led innovation. Celebrating these achievements honors the women who led the way and inspired future generations. We want to take a moment and recognize ten women who have made significant contributions to the world of technology.


1. Grace Hopper

Grace Hopper was a computer scientist and Navy rear admiral credited with developing the first compiler, which translates human-readable code into machine language. Hopper’s work laid the foundation for modern programming languages, and she is known for popularizing the term “debugging.”

2. Radia Perlman

Radia Perlman is a computer scientist who invented the spanning tree protocol (STP), which is used to prevent loops in network topologies. Her work on STP paved the way for modern computer networking, and she has been awarded numerous honors for her contributions to the field.

3. Reshma Saujani

Reshma Saujani is the founder of Girls Who Code. This nonprofit organization aims to close the gender gap in technology by inspiring and educating girls to pursue careers in tech. Saujani is also a former political candidate and author of the book “Brave, Not Perfect.”

4. Katherine Johnson

Katherine Johnson was a mathematician and NASA researcher whose work on orbital mechanics was crucial to the success of the early U.S. space program. Johnson’s story was popularized in the book and movie “Hidden Figures,” which tells the story of the African-American women who worked at NASA during the Space Race.

5. Tracy Chou

Tracy Chou is a software engineer and diversity advocate who has worked at companies like Pinterest and the U.S. Digital Service. Chou is known for her advocacy work around diversity in tech and for co-founding Project Include, an organization that promotes diversity and inclusion in the tech industry.

6. Sheryl Sandberg

Sheryl Sandberg is the former Chief Operating Officer (COO) of Facebook and the author of the smash-hit book “Lean In: Women, Work, and the Will to Lead.” Sandberg has been an advocate for women’s rights and empowerment in the workplace, and she has been named one of Time magazine’s 100 most influential people in the world.

7. Ada Lovelace

Ada Lovelace was a mathematician and writer who is often credited with writing the first computer program for Charles Babbage’s analytical engine. Lovelace’s work helped to pave the way for modern computing, and she is often referred to as the “first computer programmer.”

8. Radhika Nagpal

Radhika Nagpal is a computer scientist who is known for her work in robotics and artificial intelligence. Nagpal has developed several innovative robots, including a swarm of robots that can work together to perform complex tasks.

9. Fei-Fei Li

Fei-Fei Li is a computer scientist and artificial intelligence expert who is known for her work in computer vision. Li has developed several innovative technologies, including ImageNet, a large-scale visual recognition database that has been used to train artificial intelligence systems.

10. Megan Smith

Megan Smith is a former Vice President at Google and the former Chief Technology Officer (CTO) of the United States. Smith has been an advocate for diversity and inclusion in the tech industry, and she has worked to promote STEM education and entrepreneurship.


Celebrate the Achievements of Women in Tech During Women’s History Month

Women’s History Month is a time to celebrate the accomplishments and contributions of women in all areas of life, including technology. These are just a few examples of the many women in technology whose achievements deserve recognition. We at PreEmptive are excited to support future generations of women who continue to break barriers and make a difference in the world!



Risk Management

Certificate Pinning — Does It Help App Security?

Reading Time: 4 minutesCybersecurity for apps is a critical aspect of securing business activities. As applications are connected to the cloud and used over various networks, they are more prone to security vulnerabilities such as man-in-the-middle (MITM) attacks. 

An Accenture report states that cyber attacks saw an increase in 2021, rising to 270 from 206 per company. While SSL/TLS certificates ensure user data remains uncompromised, hackers can intercept the communication between the app and server to represent a fake certificate.

Therefore, it has become necessary for DevSecOps teams to mitigate the risk by providing an extra layer of security, like certificate pinning for the apps. This will ensure hackers cannot intercept the SSL certificates to gain access to financial information, login credentials, etc. 

But what is certificate pinning, how it works, what are its caveats, and how can it be used in conjunction with code security? Find out below.

What Is Certificate Pinning?

Certificate pinning is an additional layer of security for an app’s SSL/TLS certificate. It involves pinning the SSL certificate to a root certificate instead of a standard trust store on a device. 

A root certificate can be a specific public key or a guarantee signed and issued by a trustworthy Certificate Authority (CA) that establishes trust in an SSL certificate. This ensures the app will only accept the certificate it is programmed to trust specifically. Thus making it harder for an attacker to create a fake SSL/TLS certificate. 

How Certificate Pinning Works

The root certificate comprises information such as name, location, digital signature, and public key from the trusted CA. When a browser establishes a connection with a website, it checks the SSL certificate information against the pinned root Certificate. 

If the details match, a secure and encrypted communication channel is established between the browser and the server. However, if the information doesn’t compare, the browser won’t connect and will warn the user of a potential attack.

This ensures that even if an attacker intercepts the communication, they won’t be able to issue a fake SSL certificate, as the browser will reject it. 

In Which Situations Certificate Pinning Is Advantageous?

SSL certificate pinning is helpful in many situations where app security can be compromised. 

To Prevent MITM Attacks

As pinning ensures the apps accept only a specific certificate, it protects against MITM attacks. The hacker cannot break into HTTPS traffic between a browser and a server, even if they manage to intercept the communication.

To Transfer Confidential Data

All apps, especially E-commerce, financial, and third-party APIs, transfer sensitive information which can be compromised in the event of a cyber attack. But pinning ensures the data is transmitted over a secure channel. 

To Secure Internal Networks

In organizations where there is an acute need for trusted internal networks, pinning adds an extra layer of security to SSL certificates. This ensures that only authorized internal certificates can secure the communication.

To Establish Trust for Non-Trusted Networks

Public hotspots are non-trusted networks where pinning ensures the client (browser) intercepts the expected certificates, even if a network is compromised.

What Are the Limitations to Certificate Pinning, and How to Reduce Them?

When implementing certificate pinning for apps, there are certain caveats to consider and steps that can minimize potential drawbacks:

Update the Root Certificate

Root certificates require regular updation. Otherwise, they lead to lost traffic, broken links, or error messages. To ensure their validity, they must be kept up-to-date. There should also be a mechanism in place to update the certificate quickly in the event of a security breach or if they are revoked. 

Reduce Limitations

Pinning limits the flexibility of an SSL/TLS certificate, as only a specific CA can issue it. To minimize this drawback, certificate pinning must allow switching to a different root certificate if required. 

Minimize False Positives

Sometimes pinning can result in a false positive where the browser rejects a legitimate SSL certificate to warn the user of a potential attack. To reduce false positives, certificate pinning must be tested and validated before implementation. Moreover, detailed error messages must be provided to users whenever false positives occur.

Implement Multiple Root Certificates

Not all browsers support certificate pinning. To reduce this limitation, a specific system must be in place to allow support for multiple root certificates. In addition, the mechanism must also enable non-supportive browsers to access websites. 

How Can DevSecOps Implement Certificate Pinning With Code Security?

Certificate pinning is a critical security technique for DevSecOps teams to improve the security of their apps and provide quicker incident responses. It can be used in conjunction with a pre-emptive code security tool like DashO to prevent security vulnerabilities.

This enables the developers to provide multiple forms of obfuscation, making it impossible for attackers to hack through layered security. Here’s how pinning can prevent security vulnerabilities in code security during the app development phase:

Minimize Attack Surface

By restricting the trust of SSL certificates to a set of trusted root certificates, developers can reduce the attack surface of applications, preventing MITM attacks. Besides, pinning with code security also enables apps to detect if someone tampers with the certificates and terminates the connection if they are invalid.

Improved Incident Response

Integrated with a code analysis tool like JS Defender, pinning allows for quicker incident response. In the event of a security breach, it enables the DevSecOps teams to find the source of a problem in the code and fix it in record time.

Integration With CI/CD Pipelines

Certificate pinning can be integrated into CI/CD deployment pipelines. Implementing it in the app development process, especially during the testing phase, allows for quick validation of the code and the authenticity of the certificates. 

This ensures that the code is more secure and less vulnerable to security risks such as weak certificate validation and hard-coded certificates.

The Bottom Line

The ever-increasing popularity of mobile apps makes them a prime target for malicious attacks. According to a recent study, most Android apps are prone to cyber hacking, with 16% having no solution for this problem. 

Hackers can easily exploit code security to steal financial information and login credentials. But certificate pinning is a critical aspect of DevSecOps, adding an extra layer of encryption to app security during the development process. It ensures the apps not only rely on the trust store of their device but also require additional verification. 

Integrated with the PreEmptive Mobile App Protection Solution, pinning provides foolproof code security, making the apps more resilient to unauthorized debugging, and reverse engineering. Register today for absolute app protection!




Support Corner

Support Corner: Protect .NET Apps That Use P/Invoke Methods

Reading Time: 2 minutesDotfuscator works with the full range of application types – Desktop, Mobile, Cloud, and Internet of Things (IoT). It does this by setting sensible defaults, then providing complete granular control over obfuscation settings. Additionally, Dotfuscator understands specific coding patterns and automatically applies obfuscation rules wherever possible. One such example is Platform Invoke (P/Invoke).

What Is P/Invoke?

P/Invoke is a way of calling unmanaged C or C++ functions from a .NET program. This is useful if we have existing APIs written in C/C++, and we’re building new components in. NET. We can continue using the unmanaged codebase without rewriting while leveraging the power of the .NET ecosystem.

How Dotfuscator Handles P/Invoke

Dotfuscator has built-in rules to handle P/Invoke methods. If the original method name is used to find the corresponding native function, Dotfuscator preserves the method name to not break this mapping. On the other hand, if an alias, ordinal, or entry point is used, the P/Invoke method can safely be renamed without breaking runtime behavior.

Check Out This Example:

This .NET application has two calls to an unmanaged library via P/Invoke and the Dllimport attribute. The first method name maps to the corresponding native function. The second method uses the EntryPoint parameter to locate the native function:


After obfuscation, Dotfuscator renames myMethod to “a” but skips renaming the print_line method:


This occurs without any configuration needed from the user. On a project-wide scale, this ensures Dotfuscator applies the maximum renaming possible, while not breaking runtime behavior.

Wrapping It Up

P/Invoke is one example of how Dotfuscator automatically applies obfuscation rules, saving time and effort during project configuration.

The above example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


DashO Change Log

DashO Java Obfuscator Change Log V 12.0 Build 0 – Release Date February 8, 2023

Reading Time: < 1 minute


  • Support for processing Records introduced in Java 14 for preview and released in Java 16
  • Support for processing Sealed Classes and Sealed Interfaces introduced in Java 15 for preview and released in Java 17
  • Support for compiled bytecode of Java versions up to 18


  • Updated AdoptOpenJDK JRE shipped with DashO in the Linux, Mac and Windows installers to version to 11.0.17+8 released on October 25th, 2022
  • Updated ASM Java bytecode manipulation framework used by DashO to version 9.4
  • Updated Apache Groovy library used by DashO to version 3.0.13
  • Updated Apache HttpClient used by DashO to version 4.5.14, and Apache HttpCore to version 4.4.16
Risk Management

7 Tips for Solid AppSec in 2023

Reading Time: 4 minutesAround $318 billion annually is lost to cybercrime, making digital security paramount to maintaining a safe and responsible operation. The urgency around this issue continues to flare as losses from phone hacking, data breaches, and source code theft rise each year. Unfortunately, no area is left untouched, including mobile apps.

Mobile applications continue to prove themselves as valuable assets that drive traffic, revenue, and community engagement for many organizations. Therefore, introducing the best app security measures is essential to creating a safe environment for a company’s user base. 

While online security is complex, security experts, developers, and programming gurus continue to expand on methods to secure digital infrastructure. However, this isn’t only a job for data experts. Every level — whether C-Suite, mid-level management, or IT — needs awareness of best practices regarding application security. 

An excellent place to start the conversation around in-app safety is with what’s current. Below are seven top habits, practices, tips, and trends for building a solid wall of mobile app security heading into 2023. 

Investing in the right DevSecOps is vital for sustaining a business able to withstand cyber threats and limiting code vulnerability. For more information, visit PreEmptive’s page explaining how investing in their security tools delivers both peace of mind and monetary savings over the long run. 

What Is AppSec?

AppSec is short for “application security,” and there’s no one way to go about it. Instead, it’s a systemic approach consisting of many habits. 

To build this approach, those responsible for mobile app security must stay on top of the latest trends and be aware of the best tools to bolster their online defense. 

Regarding AppSec, staying ahead of the curve is the only way to ward off threats. Because, after all, hackers and cybercriminals are constantly developing new ways of their own to exploit outdated security methods. 

What Are AppSec Best Practices?

Many parties track and record the best ways to improve and optimize application security, including strengthening source code via the IDE, limiting an app’s attack surface, creating strong passwords, and more. 

Also, it’s vital that all employees, regardless of status, are educated and brought into conversations around app security, as a unified front is the only way to achieve desired results. 

Automating app security is always recommended. Especially for organizations that can’t afford full-time security monitoring, investing in the right tools to do the job is often the best solution to this essential problem. PreEmptive offers a large variety of solutions to increase mobile app vulnerability. Their offerings perform key tasks, including securing and hardening apps across many types of source code, including Java, Android, .Net, JavaScript, and iOS. 

Two-Factor User Authentication

Most login methods require only a single-factor identification login, meaning a user only needs to provide one form of authentication to log in. While it’s necessary to have password-protected logins, going with a multi-factor authentication process is much safer. 

Users must produce multiple forms of authentication before logging in, especially for accounts holding personal and financial information. This is an easy and great way to increase security and keep users safe while using an app. 

Security Testing Throughout the Development Process

Major tech organizations, like Google, strongly advocate that developers run security tests at the end of a program’s development and through the entire process. 

Testing for weaknesses at multiple points dramatically reduces the likelihood of oversight regarding source code weakness. 

Consolidating Security Infrastructure

The more scattered a security team’s knowledge and asset bases are, the more likely threats can slip through. As a result, consolidation is a major trend, and every company should consider swapping their whole spectrum of vendors and IT solutions for one reliable method or partner. 

Unifying around one vendor also makes the security effort more efficient and easy to understand for a company’s security managers. 

Artificial Intelligent Security Tools

Data breaches are very hard to detect right off the bat. However, advances in AI-powered security tools are increasingly valuable for identifying attacks right as they happen. In this model, programs have machine learning algorithms seamlessly attached to them. The algorithms examine and alert security managers, who can then address issues immediately. 

Continued Growth in AppSec Automation

Automated applications are a must in the modern age. Speed and immediacy are critical, and fully automatic security apps are preferred.

Additionally, automated apps continuously monitor more than just potential attacks. They highlights and fix code vulnerabilities to fend off possible threats down the line. 

Government Regulation 

Laws surrounding data security began in the EU and are now spreading rapidly throughout the world. As a result, laws concerning data protection are multiplying, which places the onus on businesses to beef up security and comply. 

These regulations protect both users and companies, as data security breaches and code theft are enormously costly problems. 

Overall, regulations are predicted to continue to grow in number and scope, making it essential for organizations to know the rules. 

Increased Awareness of a Holistic Security Approach

Companies must think in terms of overarching strategy. Security across all digital and physical assets continues to merge, and analysts, developers, and executives are coming to understand that security isn’t something to compartmentalize. 

Just as a company mission needs to be a unified goal, a security approach needs to be instilled across departments, hierarchies, and geographical locations. 

Especially with increases in remote offices, the entire workforce must have a clear vision of what’s being done to secure digital assets. In addition, employees need clear communication on how every role is vital in creating a safe environment. 

Don’t Delay AppSec Implementation

Apps are among the most targeted locations of cybercrime. This makes fortifying mobile application security as crucial as routine checkups on physical assets. Therefore, companies and individuals must do all they can to incorporate the above tips into their protection strategy. 

PreEmptive’s mobile app security solutions protect from all angles: code hardening, obfuscation, security checkpoint strengthening, tamper-proofing, and more. 

Best of all, PreEmptive’s solutions seamlessly integrate into existing programs, requiring no alterations to source code. 

It’s wise to seize the day and practice vigilance by protecting essential assets before it’s too late. With the right safeguards, developers can rest easy, knowing their apps are defended. 



Dotfuscator Pro Change Log

Dotfuscator Professional Edition, Version 6.5.2- Release Date January 13, 2023

Reading Time: < 1 minute


  • Improved renaming of properties referenced in XAML files
  • Added a comprehensive error message when using invalid renaming schemes for Xamarin.Android projects
  • Added smart obfuscation rules for compiled XAML

The State of Mobile Security in 2023

Reading Time: 4 minutesThe world of cybersecurity is still in its infancy. However, it’s a new year, and reflection is a great way to prepare for future evolutions in online defense. 

In 2022, many lessons were learned, threats were exposed, and successes were shared. From the continued issues attached to the COVID-19 pandemic to the new threats exposed by the Russian war on Ukraine to the instability in the world of cryptocurrency, throughout all of these occurrences, one thing remains clear: digital security is vital in the modern world. 

Throughout the past year, new methods were created to boost mobile app security and the source code that serves as its foundation. Now, the mobile app security industry faces the dawn of a new year and, with it, new challenges. 

One of the best ways to boost defenses and protect digital assets is to partner with a well-established security company that protects mobile applications across different scenarios and coding languages. PreEmptive provides modern solutions that help companies defend and form proactive approaches to securing their valuable applications. 

Lessons Learned in 2022

Preparing for the future requires a meticulous study of the past. Throughout 2022, specific trends revealed systemic weaknesses and areas requiring desperate improvement. In addition, these lessons serve as important reminders of what to look for heading into 2023. 

→ Ransomware Needs to Be Taken Seriously

Ransomware is rampant and shows no signs of stopping. Although data is not yet finalized for 2022, experts determined that in 2021, a ransomware attack occurred, on average, every 11 seconds

A significant reason for this is that many businesses’ security methods – specifically when it comes to mobile app security – do not keep up with the evolving methods of hackers. 

Cybercriminals recognize weaknesses in faulty digital assets and can use them to infiltrate businesses. The rise of ransomware attacks also revealed mobile applications as a prime target. Overall, 70% of online fraud is perpetrated through mobile applications and platforms. 

Therefore, as cell phones become more ingrained in the lives of online users, it’s evident there’ll be continued increases in ransomware attacks. 

You Can’t Always Trust the Cloud

Cloud computing was once thought to be highly secure. However, in 2022, it was evident that cyber criminals have developed methods to infiltrate cloud technology that was once considered airtight. 

In 2022, a staggering 45% of all data breaches were cloud-based, each one costing around $4.3 million. Even major cloud services, like Dropbox, succumbed to cloud hackers in 2022. 

Overall, concerns grow around how criminals have evolved their strategies to manipulate user trust in Cloud data for nefarious gain. 

The Evolution of the Phish

Over the years, organizations have become adept at spotting and eliminating phishing scams via email. However, in 2022, phishing attacks  rose by 61%, and it was evident that they began to take new forms.

Now, phishing attacks have become more complex, realistic, and harder to determine. Whether used to target users on significant platforms like  Facebook or through the latest cryptocurrency scams, phishing schemes are showing clear signs of becoming more complex. 

Proper Investment in Digital Infrastructure and Security Is Key

There’s no doubt about it: investing in digital security and application security is now a key part of operation budgets all around the globe. 

Investment in mobile applications, obfuscation, and data protection continues to rise, mainly because organizations find immense value in taking preventative measures before it’s too late.

Mobile Security Predictions for 2023

1. Heightened Attacked on Mobile Devices via Ransomware

As stated above, in 2022, ransomware attacks increased, and this trajectory is only likely to continue upward heading into 2023, as Ransomware attacks are predicted to take $30 billion in the coming year. 

Attackers increasingly recognize the opportunity and monetary advantage of ransomware attacks. This is why, in 2023, it’s likely that ransomware will become a more persistent avenue of attack. 

2. Higher Demands for Top-Notch Security Tools & Talent

There’s a clear and growing need for data protection tools and professionals. 2023 will likely bring a significant push for organizations — from the federal government to small businesses — to include more help fortifying data and application security. 

Additionally, with more laws regarding data protection and user security, the data security labor force is likely to grow as companies strive to comply. Likewise, security applications and services that offer excellent, modern digital security methods are predicted to continue receiving investment and growth in the coming year. 

3. Artificial Intelligence Integrates Further Into Security Strategy 

Many organizations already rely on the power of artificial intelligence to prevent cyberattacks. Given that AI has proven an effective measure thus far, in the year to come, it’s expected that more businesses will continue implementing artificial intelligence as a key part of their data strategy. 

Machine learning tech helps identify potential weaknesses in mobile applications and alerts officials to threats in real time. Lastly, many companies will gravitate toward AI-powered cybersecurity as it continues to prove useful and offer financial benefit in identifying and mitigating data breaches.

4. Increased Data Protection Regulations 

Data privacy regulations have increased over the past decade, and experts only see them becoming more rigorous in the future. They started in places like the European Union with the General Data Protection Regulation (GDPR). Then these regulations were popularized in the United States with the California Consumer Privacy Act (CCPA). Overall, these laws guarantee institutions more extensive data protection and control for mobile users.

In 2022, a bill titled the American Privacy and Data Protection Act drew bipartisan support. However, It was not passed by Congress before the end of the year and will have to be reintroduced for further consideration. There continue to be growing calls for governing bodies to enhance privacy laws, specifically regarding user applications and how businesses harvest and process data.

What Are the Best Tools for Mobile Security in 2023

Hackers are always looking for weaknesses in application security, typically viewing source code as a common point of entry. Because of this, organizations must look for ways to continue to increase app hardening efforts, which use source code obfuscation to defend from cross-site scripting and reverse engineering attacks.

Therefore, an effective app hardening service will be crucial to building a modern defense for digital assets.

Choose the Best Help for Mobile Security in 2023

Heading into 2023, the potential impact of poor app security is severe. Whether organizations need it for Android, iPhone, or any other purpose, partnering with a service that performs app hardening and data obfuscation measures is paramount to avoid the latest risks that leave digital assets open to attackers. 

PreEmptive is a trusted leader in the fight to help organizations protect their valued assets against cybercrime. By providing a systemic and proactive approach to mobile security, PreEmptive’s comprehensive offerings can help any business arm itself with the right tools to help them thrive in the year ahead.




Support Corner

Support Corner: How to Leverage Custom Rules in Dotfuscator

Reading Time: 2 minutesPreEmptive has evolved through the years to handle all different types of applications and scenarios. Reasonable defaults are designed to get any project up and running, and from there we have full control over protection settings. Custom rules are one way to create simple, robust, flexible configurations — even with very complex applications.

In previous Support Corner articles, we learned about coding techniques that require a Rename exclusion to run properly after obfuscation. Sometimes, excluding just one class, method, field, or property is sufficient. But for larger, more complex applications this is usually not the case. Custom rules can help organize these exclusions into patterns for a more flexible and robust configuration. Rules can be created to exclude all descendants of a parent class or those that implement a particular interface. Rules can be created for types or members decorated with a custom attribute, or those that have a certain access modifier. Regular expressions can also be used to make custom rules based on the naming convention.

Consider the following example.

In “Protecting .NET applications that use the MVVM pattern,“ we learned that MVVM uses reflection to load properties of model classes: 

Because of this, we had to exclude those properties from Rename obfuscation to avoid a runtime error:

Rather than checking individual checkboxes for each property, I can translate this into a custom rule. Each model classes with an OnPropertyChanged method must implement INotifyPropertyChanged. Based on this, I will write a rule to exclude properties (.*) of any type (.*) that implements INotifyPropertChanged:

By making this modification, we can change or expand use of the MVVM pattern without having to update obfuscation rules. I will also apply the other obfuscation transforms String Encryption, Control Flow, Linking, and Tamper defense to secure that section of code.

The full MVVM example modified to use Custom Rules can be downloaded here.

The original Support Corner article “Protecting .NET applications that use the MVVM pattern” is here.

If you have any feedback on this topic, or other topics you would like us to discuss in the Support Corner, please contact us.