Reconciling GooglePlay's security recommendations with Xamarin deployment

February 25, 2016 6610 Views Sebastian Holst

An app control that both Microsoft and Google can get behind? What about Xamarin?

First - Congratulations Xamarin (and Microsoft) - as someone who has used Xamarin personally and worked with the people professionally, I see this as a win-win-win (for Xamarin, Microsoft, and, last but not least, developers!).

To the topic at hand... One might argue that the phrase "GooglePlay security recommendations" is a contradiction in terms or even oxymoronic - but I take a different view. If (EVEN) Google recommends a security practice to protect your apps - then it must REALLY be a basic requirement - one that should not be ignored.

I'm talking about basic obfuscation to prevent reverse engineering and tampering.

Here's an excerpt from Android's developer documentation

"To ensure the security of your application, particularly for a paid application that uses licensing and/or custom constraints and protections, it's very important to obfuscate your application code." ...and they go on to write "The use of ProGuard or a similar program to obfuscate your code is strongly recommended for all applications that use Google Play Licensing." (I did NOT add the emphasis)

For those unfamiliar with ProGuard - it's a free/open source obfuscator - quite a good one really for the money ;) - but seriously - it's kind of an analog to Dotfuscator Community Edition included with Visual Studio (also for free). The point being that both Google and Microsoft have long recognized that basic controls to prevent reverse engineering need to be ubiquitously available to every developer (no one is suggesting all apps be obfuscated).

...but what about Xamarin apps targeting Android or iOS? ...not so much. ProGuard cannot obfuscate Xamarin apps - nor can any of the other native Java/Android obfuscators (including PreEmptive's own DashO). ...But (good news) Dotfuscator Professional can. ...But (bad news) it's not free. Still, if you're serious about this topic, you'd probably want something other than the "free version" on either platform. Here's a link to a PreEmptive blog post on how to protect your Xamarin apps with Dotfuscator (both iOS and Android): Xamarin Applications and Dotfuscator.

Question: Given the Microsoft Xamarin acquisition, should we (PreEmptive/Microsoft) consider extending Dotfuscator CE (the free one) to provide comparable protection to Android and iOS apps generated by Xamarin as we do for .NET apps today (and since 2003)?

Let me know your thoughts - I really do want to hear from Xamarin developers (and the app owners that employ them :).

Free Trial

Request Quote

Request Demo

Protecting .NET applications that use the MVVM pattern

Model–View–ViewModel (MVVM) is a common pattern used in WPF, Xamarin, and other types of .NET applications. There are different ways to apply the MVVM pattern, but they all share a few underlying concepts. I’d like to discuss these concepts, and how to successfully configure protection with Dotfuscator for MVVM-based apps.

Credentials are a problem for your app. Why? Because they’re a critical access gateway: If attackers get their hands on working usernames and passwords they can cause havoc — everything from stealing user accounts to compromising high-level application functions.

It’s big business; Sensor Tech Forum notes that 85 malicious apps on Google Play were stealing login credentials, while Verizon’s 2018 Data Breach Investigation Report found that 81 percent of hacking incidents used weak or stolen passwords.

And while part of the problem rests with users choosing username and password combinations that are easy to remember and easy for attackers to guess, applications have their own issue: Hard coding. From smart city software to stock trading applications, the use of hard-coded credentials saves time upfront but significantly impacts security.

Don’t become an easy mark for hackers: Here are six ways to boost credential control and reduce total risk.

In 2017 and again in 2018, PreEmptive Solutions surveyed over 15,000 professional developers asking about their organization’s current and projected use of a broad cross-section of development languages and frameworks.

Evaluating each annual survey result on its own and again together as a whole offers insights into current practices, assumptions about future trends as well as the actual trends that played out during the time between the two survey collection points.

The white paper, The Future of Language and Framework Survey shows a professional development community striving to reduce the number of languages and frameworks they rely upon while simultaneously increasing their commitment and investments in the technologies they retain. As this maturation occurs, overall clarity and confidence in their architecture and mission improves.

Prevention, detection, and response

Today, Microsoft announced Azure DevOps – Loosely, it is TFS and VSTS, with its services broken out into distinct components that can be used together or separately. The Azure DevOps services are Azure Boards, Azure Repos, Azure Pipelines, Azure Test Plans and Azure Artifacts. When Azure DevOps was VSTS and TFS, we supported integration with PreEmptive’s Dotfuscator. Today, none of that changes. As Azure DevOps evolves, we will continue to improve our integration, so that you can easily add multi-layered protection to your valuable apps.

In Mindset shift to a DevSecOps culture, Buck Hodges, Director of Engineering for Visual Studio Team Services, stressed the importance of both preventing breaches and “assuming breaches. ”In essence, prevention only gets you part of the way there. “Assuming a breach” allows for effective incident detection, response and recovery process planning.

The .NET Conference is right around the corner. Make sure to mark your calendar because this virtual three-day developer event is not one you will want to miss. Included will be a wide variety of live sessions for beginners to advanced developers to attend.

Learn to build and the latest techniques for:

Reconciling GooglePlay's security recommendations with Xamarin deployment

Protecting .NET applications that use the MVVM pattern

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

Multi-Year Developer Survey Reveals Evolving Practices and Foreshadows Further Change

Automating and Scaling App Protection with Azure Devops

Prevention, detection, and response

Catch the .NET Conf: Latest Updates and Tips

Latest Blog Posts

Protecting .NET applications that use the MVVM pattern

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

Multi-Year Developer Survey Reveals Evolving Practices and Foreshadows Further Change

Automating and Scaling App Protection with Azure Devops

Catch the .NET Conf: Latest Updates and Tips

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

Reconciling GooglePlay's security recommendations with Xamarin deployment

Prevention, detection, and response

Latest Blog Posts

Latest News

Twitter