Protecting .NET applications that use JSON objects

JSON is a widely used format for sharing objects and data within an application. To protect .NET applications that serialize and deserialize JSON objects, you should be aware of some special considerations.

Consider a basic Employee class:

When serialized to JSON, the object is stored as a string.

If written to the console at this point, the “json” string would look like:

{"FirstName":"Jane","LastName":"Doe","Email":"jd@example.com"}

Please note the original names of the properties printed in the Json string: FirstName, LastName, and Email.

In another part of the application, the object is deserialized into a .NET class.

The deserialization mechanism relies upon the original property names to pair its data, but Dotfuscator will rename those property names by default. To ensure that the deserialization works correctly, I need to tell Dotfuscator not to do that by excluding the FirstName, LastName, and Email properties on the Dotfuscator Rename tab.

Now, I can ensure the correct output:

Deserialized: Jane Doe jd@example.com

I’ve presented one scenario as it pertains to JSON serialization and deserialization. There are different ways to serialize and deserialize JSON objects, but the underlying concepts are the same with respect to obfuscation: if a property name is compared to a string representation of that property, a rename exclusion is likely required in Dotfuscator.

You may download the full example here.

If you have any feedback on this topic, or other topics you would like us to discuss in the Support Corner, please feel free to contact us at support@preemptive.com.