Reconciling GooglePlay's security recommendations with Xamarin deployment

February 25, 2016 7403 Views Sebastian Holst

An app control that both Microsoft and Google can get behind? What about Xamarin?

First - Congratulations Xamarin (and Microsoft) - as someone who has used Xamarin personally and worked with the people professionally, I see this as a win-win-win (for Xamarin, Microsoft, and, last but not least, developers!).

To the topic at hand... One might argue that the phrase "GooglePlay security recommendations" is a contradiction in terms or even oxymoronic - but I take a different view. If (EVEN) Google recommends a security practice to protect your apps - then it must REALLY be a basic requirement - one that should not be ignored.

I'm talking about basic obfuscation to prevent reverse engineering and tampering.

Here's an excerpt from Android's developer documentation

"To ensure the security of your application, particularly for a paid application that uses licensing and/or custom constraints and protections, it's very important to obfuscate your application code." ...and they go on to write "The use of ProGuard or a similar program to obfuscate your code is strongly recommended for all applications that use Google Play Licensing." (I did NOT add the emphasis)

For those unfamiliar with ProGuard - it's a free/open source obfuscator - quite a good one really for the money ;) - but seriously - it's kind of an analog to Dotfuscator Community Edition included with Visual Studio (also for free). The point being that both Google and Microsoft have long recognized that basic controls to prevent reverse engineering need to be ubiquitously available to every developer (no one is suggesting all apps be obfuscated).

...but what about Xamarin apps targeting Android or iOS? ...not so much. ProGuard cannot obfuscate Xamarin apps - nor can any of the other native Java/Android obfuscators (including PreEmptive's own DashO). ...But (good news) Dotfuscator Professional can. ...But (bad news) it's not free. Still, if you're serious about this topic, you'd probably want something other than the "free version" on either platform. Here's a link to a PreEmptive blog post on how to protect your Xamarin apps with Dotfuscator (both iOS and Android): Xamarin Applications and Dotfuscator.

Question: Given the Microsoft Xamarin acquisition, should we (PreEmptive/Microsoft) consider extending Dotfuscator CE (the free one) to provide comparable protection to Android and iOS apps generated by Xamarin as we do for .NET apps today (and since 2003)?

Let me know your thoughts - I really do want to hear from Xamarin developers (and the app owners that employ them :).

Google IO Recap: Firebase, Jetpack, Kotlin, and R8

PreEmptive had the opportunity to send a couple of representatives to Google IO this year. IO 2019 didn't tell us what dessert starts with a Q, but it did showcase some great tools and frameworks as well as provide insight into the direction of Android:

For the third year in a row, Microsoft’s Build conference set up shop in the Washington State Convention Center, giving technology professionals a glimpse into what lies ahead for the Redmond giant.

Previous years highlighted key advancements such as Microsoft 365, the Azure Cosmos DB and Xamarin — in 2019, the company went all-in with announcements for a new Visual Studio, .NET evolution and the emergence of true Linux on Windows OS.

Here’s a look at the best of Build 2019.

Last month we blogged about R8 and Google's build architecture changes and hinted at things to come in PreEmptive Protection - DashO, our powerful Java obfuscation and application protection tool that integrates tightly with Android. Today, we're excited to announce a public beta of our next major release: DashO 10 (Beta 2).

This new version of DashO works together with R8 to protect Android apps and libraries.

Whether you're using Azure Pipelines, TeamCity, Jenkins, or your local dev machine, Dotfuscator Professional is easier to integrate than ever before.

Last August, we released an easier, better way to integrate Dotfuscator into your build process. We quickly followed that with new instructions for Xamarin integration - making Dotfuscator the easiest-to-integrate (and still most-effective!) Xamarin protection product, by far.

Today, we're releasing a suite of features and components that make it much easier to provision Dotfuscator into your continuous integration environment, making it easy to use in your automated build, too.

Google recently introduced R8, a new tool designed to replace ProGuard as the default shrinker in the Android build process. R8 is meant to produce as-good-or-better outputs than ProGuard, and to do so faster than ProGuard does, thereby reducing overall build times. It will be enabled by default in the next release of Android Gradle Plugin (v3.4).

This change removes a long-standing component (ProGuard) and replaces it with entirely-new code that does essentially the same thing. Why would Google do such an expensive, risky thing?

Reconciling GooglePlay's security recommendations with Xamarin deployment

Google IO Recap: Firebase, Jetpack, Kotlin, and R8

Microsoft Build 2019: Visual Studio Expands, .NET Evolves and Windows Gets a Kernel

DashO 10 Beta 2: Android Support, Rebuilt From the Ground Up

It's Never Been Easier to Automate Your Builds With Dotfuscator Professional

R8: A Step in Google's Android Build Performance Roadmap

Latest Blog Posts

Google IO Recap: Firebase, Jetpack, Kotlin, and R8

Microsoft Build 2019: Visual Studio Expands, .NET Evolves and Windows Gets a Kernel

DashO 10 Beta 2: Android Support, Rebuilt From the Ground Up

It's Never Been Easier to Automate Your Builds With Dotfuscator Professional

R8: A Step in Google's Android Build Performance Roadmap

Twitter