Reconciling GooglePlay's security recommendations with Xamarin deployment

February 25, 2016 7646 Views Sebastian Holst

An app control that both Microsoft and Google can get behind? What about Xamarin?

First - Congratulations Xamarin (and Microsoft) - as someone who has used Xamarin personally and worked with the people professionally, I see this as a win-win-win (for Xamarin, Microsoft, and, last but not least, developers!).

To the topic at hand... One might argue that the phrase "GooglePlay security recommendations" is a contradiction in terms or even oxymoronic - but I take a different view. If (EVEN) Google recommends a security practice to protect your apps - then it must REALLY be a basic requirement - one that should not be ignored.

I'm talking about basic obfuscation to prevent reverse engineering and tampering.

Here's an excerpt from Android's developer documentation

"To ensure the security of your application, particularly for a paid application that uses licensing and/or custom constraints and protections, it's very important to obfuscate your application code." ...and they go on to write "The use of ProGuard or a similar program to obfuscate your code is strongly recommended for all applications that use Google Play Licensing." (I did NOT add the emphasis)

For those unfamiliar with ProGuard - it's a free/open source obfuscator - quite a good one really for the money ;) - but seriously - it's kind of an analog to Dotfuscator Community Edition included with Visual Studio (also for free). The point being that both Google and Microsoft have long recognized that basic controls to prevent reverse engineering need to be ubiquitously available to every developer (no one is suggesting all apps be obfuscated).

...but what about Xamarin apps targeting Android or iOS? ...not so much. ProGuard cannot obfuscate Xamarin apps - nor can any of the other native Java/Android obfuscators (including PreEmptive's own DashO). ...But (good news) Dotfuscator Professional can. ...But (bad news) it's not free. Still, if you're serious about this topic, you'd probably want something other than the "free version" on either platform. Here's a link to a PreEmptive blog post on how to protect your Xamarin apps with Dotfuscator (both iOS and Android): Xamarin Applications and Dotfuscator.

Question: Given the Microsoft Xamarin acquisition, should we (PreEmptive/Microsoft) consider extending Dotfuscator CE (the free one) to provide comparable protection to Android and iOS apps generated by Xamarin as we do for .NET apps today (and since 2003)?

Let me know your thoughts - I really do want to hear from Xamarin developers (and the app owners that employ them :).

Application Protection Rule #1: Why In-House App Obfuscation & Defense Doesn’t Measure Up

Organizations can’t afford to leave apps unprotected. Attackers are growing more sophisticated, leveraging targeted malware campaigns and advanced evasion tactics to compromise applications and cause long-term damage. And according to Forbes, even antivirus tools designed to protect devices and software can increase overall risk: recent research found that more than 28 million Android phones were subject to security vulnerabilities thanks to insecure virus protection apps.

As a result, many companies looking to boost application protection and security without breaking their budget or introducing unexpected risk are considering in-house builds of better defenses using a combination of IT talent and publicly available tools.

The challenge? Homegrown solutions introduce the potential for DIY disasters. Let’s dig in and discover why they can’t measure up.

Currently charging up the hype cycle slope? The rush to become a “technology-forward” organization.

But delivering on digital transformation potential demands more than buzzwords — along with C-suite support, end-user buy in and robust data defense, companies must develop “protection-forward” strategies to secure the IT front line: Applications.

Tech-Forward Trends

What is a technology-forward organization? One that prioritizes digital transformation — the ongoing shift away from cumbersome physical processes and outdated IT solutions to always-connected, digitally-enabled services that empower user access and data analytics to drive long-term ROI.

When properly implemented, tech-forward strategies pay big dividends: As noted by Forbes, businesses like Target and Best Buy — both at risk of going under just a few years ago — have substantially improved both performance and revenue by leaning into digital solutions. According to Tech Republic, 66 percent of business leaders now plan to implement digital transformation strategies and expect them to drive 17 percent ROI over the next year.

Earlier this month, I had come across Scott Hanselman’s excellent blog post, What's better than ILDasm? ILSpy and dnSpy are tools to Decompile .NET Code where he had shared his insights on the strengths and limitations of a laundry list of reverse engineering and debugging tools. In the comments that followed, someone had asked for an obfuscation recommendation for those times when a developer wants to protect their code against reverse-engineering (a reasonable question to be sure).

Unfortunately, comments had been disabled by that point, and so I had sent an email to Scott that mapped Dotfuscator’s anti reverse-engineering/tamper/debugging capabilities to the collection of developer tools that he had covered.

Before I start, I would like to thank PreEmptive for inviting me to write a guest post.

I would like to start my blog with a discussion about the growing cyber threats all over the world. I assume readers are well aware of cyber threats and how they are addressed by people, process, and technology. The continuous planning and advancement of security in the cyber world including but not limited to applications is an interesting read. Here, in my blog, I would like to discuss how companies can support mobile application security for better and safer use of stored data.

On June 11, NIST released Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework. While a solid piece of work in its own right, this document is noteworthy because it stands as one more proof point - in an already long list of proof points, that development processes, the developers themselves, and the organizations they belong to, ALL share some degree of responsibility (liability) for:

Reconciling GooglePlay's security recommendations with Xamarin deployment

Application Protection Rule #1: Why In-House App Obfuscation & Defense Doesn’t Measure Up

Deliver on Digital Transformation Potential with App Protection-Forward Strategies

Tech-Forward Trends

Reverse-Engineering Tools Are Awesome; Except When You Don’t Want Them To Be

Is your Mobile App GDPR Compliant? Learn how to secure your App

Latest NIST publication reinforces Developer Obligations (and liability)

Latest Blog Posts

Application Protection Rule #1: Why In-House App Obfuscation & Defense Doesn’t Measure Up

Deliver on Digital Transformation Potential with App Protection-Forward Strategies

Reverse-Engineering Tools Are Awesome; Except When You Don’t Want Them To Be

Is your Mobile App GDPR Compliant? Learn how to secure your App

Latest NIST publication reinforces Developer Obligations (and liability)

Twitter