Encrypting String Constants with Dotfuscator

May 25, 2018 4512 Views Brent Prox

Welcome to the Support Corner, where we’ll occasionally talk about topics that we’re seeing while working with our customers. If you’d like to see more like this, please click the Support Corner Category.

In addition to Renaming and Control Flow, String Encryption is an obfuscation transform that can help protect your application. When customers enable String Encryption in Dotfuscator, they are often surprised to see that string constant definitions are still visible in decompiled code. Customers often contact us asking how to encrypt those string constants.

However, those string constants don’t need to be encrypted; they need to be removed entirely. Dotfuscator’s String Encryption feature takes the strings that have been inlined by the .NET compiler and encrypts them. That leaves the constant definitions behind, unused – and they can be removed.

Note: Dotfuscator Professional Edition is required in order to use String Encryption and Removal.

This leads us to Dotfuscator's Removal feature. If you are using String Encryption, you should also use Removal to remove those string constants. (This is another great example of how layered protection is far more valuable than any individual protection, alone.)

1. Within Dotfuscator, enable Removal by setting Settings > Global Options > Disable Removal to “No”
2. Select the “Remove only literals (const definitions)” option for Removal Kind in Removal > Options
3. Build your app with Dotfuscator
4. Decompile the assembly and verify the string constant definitions have been removed

Note: if you have Library Mode enabled, the public and protected constant definitions will not be removed. Turning on Library Mode for an assembly causes Dotfuscator to treat all visible types and members as entry points, automatically. Entry Points are excluded from Removal.

Please note: this is a basic overview of how to remove string constant definitions from your protected application. In applications with more complexity, there may be additional configurations necessary, such as removal exclusions. For more details, please see the documentation on Dotfuscator’s Removal Editor.

If you have any feedback on this topic, or other topics you would like us to discuss in the Support Corner, please feel free to contact us at support@preemptive.com.

Latest Blog Posts

Going the Distance — Remote Work and Effective Cybersecurity in the Age of Coronavirus

It’s official. COVID-19, more commonly known as the Coronavirus, has been declared a global pandemic by the World Health Organization (WHO) with hundreds of thousands of cases worldwide. In the United States, restrictions are ramping up as case numbers soar — New York governor Andrew Cuomo has ordered all nonessential workers to stay home, and my own state’s governor Mike DeWine has issued a statewide shelter-in-place order.

Along with disruptions to daily life, the expanding impact of COVID-19 has forced businesses to rapidly pivot and adopt remote-work models — even if they have no experience with mobile connections and on-demand collaboration. The result is a surge in remote everything, from team chats to primary school education to project management and even healthcare delivery. See my previous blog on our customer commitment during the age of Coronavirus.

And while efforts to bridge the digital divide are having a positive impact for both workplace productivity and the mental health of those in isolation, there’s a potential pitfall: Cybersecurity. As noted by CNBC, there’s already been a significant uptick in scam and phishing emails — but what happens if malicious actors breach critical apps and services?

At PreEmptive, we’re closely following the evolving Coronavirus (COVID-19) public health emergency, and our thoughts are with those affected and their families during this difficult time.

We are taking precautionary steps to continue normal operations without affecting our customers. At the same time, ensuring the health and safety of our customers, partners, and employees is our highest priority.

We have provided application protection software to the world's top organizations for more than 20 years. Although, this case is somewhat unique, it is not the first time we have been confronted with economic disruptions and uncertainties. Prior critical lessons have helped shape us into the company we are today: a robust organization with layers of contingency plans in place, a strong balance sheet, and an experienced team that values long-term relationships with our customers and partners above all else.

Evolving Hazards, Emerging Hope and the Expanding Human Element

The theme at the RSA conference this year is the “Human Element” — the critical role of individuals in the efficacy of organizational security measures. Along with sessions about the hazards of IT complexity and the hope of ethical AI, the expanding impact of COVID-19 concerns offered a real-world example of human elements at work, highlighting how IT staff can both help — and hamper — the effectiveness of infosec efforts.

Here’s a look back on some of my biggest takeaways from RSA 2020.

Unlike Y2K, 2020 was not preceded by waves of doomsday predictions, hype and frenetic IT overhauls. Developers are still under pressure to produce more, in less time, and at a lower cost, enterprises are as committed to their love/hate relationship with software as ever, and app users still expect perfection.

…but don’t let the usual crush of work and expectations lull you into a sense that it’s just the same old sprint to the next development project. Recent enforcement precedents, regulatory milestones and standards updates strongly suggest that 2020 app development and app security requirements will be anything but “business as usual.”

PreEmptive is dedicated to protecting your apps, wherever and however they are built. Our recent release of the Dotfuscator 6.0 beta adds cross-platform support, allowing you to protect your application on other platforms besides Windows. This allows for intuitive integration into Xamarin.iOS projects on macOS.

In this blog post, we'll go through the steps required to bring this functionality to your existing Azure DevOps Pipelines and AppCenter builds.

Encrypting String Constants with Dotfuscator

Going the Distance — Remote Work and Effective Cybersecurity in the Age of Coronavirus

Our Commitment to Customers During the COVID-19 Outbreak

RSA 2020 San Francisco Recap

Evolving Hazards, Emerging Hope and the Expanding Human Element

App Security: It’s a New Year! What’s New About It?

Building on a Mac with Dotfuscator 6 in Azure DevOps

Latest Blog Posts

Going the Distance — Remote Work and Effective Cybersecurity in the Age of Coronavirus

Our Commitment to Customers During the COVID-19 Outbreak

RSA 2020 San Francisco Recap

App Security: It’s a New Year! What’s New About It?

Building on a Mac with Dotfuscator 6 in Azure DevOps

Twitter