Building in the Cloud with Dotfuscator Community Edition

February 23, 2017 1668 Views Bill Leach

Most of our previous blogging about Dotfuscator Community Edition (CE) assumes you are doing local builds, or have a dedicated build server—but what if you want to use Dotfuscator CE within a distributed build system such as Visual Studio Team Services (VSTS) or Team Foundation Server (TFS) on-premises? Until now, you've had to do extra work to install and provision Dotfuscator CE on each build agent host in your pool. Now, we're pleased to announce a VSTS build extension for Dotfuscator CE, available in the VSTS Marketplace. It does the extra work for you, making it easy to get Dotfuscator CE into your distributed build.

Let's walk through an example, using a sample project. The overall process is:

Stage a local build of the project and verify that Dotfuscator CE is configured correctly.
Push it to a VSTS hosted project.
Automate the build using the new Dotfuscator CE build extension.

Setup the Local Sample Project

Download the "hello world" sample application and unzip it to a directory on your file system. The zip file contains two versions of the sample: one tailored for Visual Studio 2015 and up, and one tailored for Visual Studio 2017. For this exercise, choose the "Visual Studio 2015" version of the sample (even if you are using Visual Studio 2017 locally), since that is what we will be using on the build agent hosts. You can review the included Readme.txt file to learn more about the sample application.
Open the DotfuscatorCommunityEditionSample.sln file in Visual Studio and build the release configuration. The solution should build with no errors or warnings.

Setup your Local Environment

Get and verify that you have Dotfuscator CE. You should see it on Visual Studio's Tools menu. If it is not there, you can always find the latest version on the Dotfuscator Downloads Page.
The "hello world" sample ships with a ready-made Dotfuscator configuration file that exercises many of Dotfuscator CE's capabilities, such as renaming and tamper detection. To test that you have the environment setup correctly, run the Dotfuscator CE GUI from the Tools menu and open the sample's configuration file (dotfuscator_config.xml).
Build the project in the Dotfuscator UI and verify that it builds without errors, and that the output assembly is located in the "Dotfuscated" directory.
If your copy of Dotfuscator CE is unregistered, now is a good time to register it, because you will need your serial number in a later step.

Push to VSTS

Once you have a successful local build, the next step is to push the project to the remote repository. We will use VSTS, but the same procedure will also work if you are using on-premises TFS 2015 (Update 3 and above).

Create a local git repository for the project, along with an associated team project in VSTS. This tutorial will help you if you are not already familiar with the process.
Before syncing your local repository with the remote:
- Delete the local Dotfuscated directory (if it exists from previous builds), and any files in it. We do not want to store the obfuscated outputs in the git repository.
- Exclude that directory from future commits by adding the following to the .gitignore file:
```
Dotfuscated/
```
Commit the above changes, and sync the local repository to the remote. At this point you should be able to see the sample code in the VSTS portal, like this:

Create a Build and Add the Dotfuscator CE Extension

Create a build definition, using the Visual Studio template. This tutorial will help you if you are not already familiar with the process. When complete you should see something like this in the VSTS portal:
If you queue the build as-is, it will succeed, but the output assembly won't be protected. Let's fix that by Getting the Dotfuscator CE extension from the Marketplace. Click the install button to add it to your VSTS account.
Once installed, add the Dotfuscator CE Provisioner Task to your build by editing the build definition, and adding the task from the Utility category.
The Provisioner task must run before Dotfuscator CE runs, so after adding the task to your build definition, move it above the "Visual Studio Build" task.
Configure the Provisioner task:
- In the Dotfuscator Community Serial Number field, enter the serial number you received when you registered your local version of Dotfuscator CE. For reference, it is located on Dotfuscator CE's "About" box.
- Select the Dotfuscator Version you wish to use, by selecting the associated Visual Studio version from the dropdown. As of this writing, the build agents in the hosted pool do not yet have Visual Studio 2017, but that is expected to change very soon. The Dotfuscator CE extension will support Visual Studio 2017 when that happens; but for now, choose Visual Studio 2015.
- The last field, User Specified Environment Variable is not required in this case. If you have a custom build agent host with Dotfuscator CE installed in a non-default location, you can use this field to provide the name of an environment variable on the build host that contains the path to the Dotfuscator CE command line executable. Since we will be using build agents in the hosted pool, which already have Dotfuscator CE in the default locations, setting this is unnecessary.
- Save your changes to the task configuration.
Next, add a Dotfuscator Community Edition Task to your build definition. It is available in the Build category.
Move it below the "Visual Studio Build" task, so it runs after code compilation.
Configure the Dotfuscator CE task:
- In the Relative Path to Configuration File field, enter the name of the Dotfuscator configuration file (you can also browse for it in the project tree).
- In the Additional Command Line Arguments field, you can also pass command line arguments to Dotfuscator CE. For this example, none are necessary, so we will leave it blank.
- Save your changes to the task configuration.
Now, if you queue a build, it should pass. You should see output from Dotfuscator CE in the logs from the "Run Dotfuscator" step.
We aren't finished yet, because we still need to capture the obfuscated output assembly and the renaming map file as build artifacts. Do this by modifying the Copy Files task to include everything in the Dotfuscated directory.
Now if you do a build, not only should it pass, but the obfuscated outputs will be included with the other build artifacts.

Other Scenarios

We've covered a basic end-to-end scenario, using a simple Visual Studio solution, building with VSTS. There are additional ways to use the Dotfuscator CE build extension, and it supports many other scenarios:

As mentioned, it is supported with on-premises TFS versions 2015 Update 3 and higher. The configuration steps are the same.
You can use it with custom build agent hosts, so long as Dotfuscator CE itself is installed on them.
If you want to run Dotfuscator CE directly inside of a solution build (e.g. as an Exec task in a project's AfterBuild target), you can. To do so, you only need the Provision step before the solution build task in your build definition. The Provision task sets a build variable called DotfuscatorCEDir that you can reference in your MSBuild scripts. For example:
```
<Target Name="AfterBuild" Condition="'$(Configuration)' == 'Release'">
  <Exec Command="&quot;$(DotfuscatorCEDir)\dotfuscatorCLI.exe&quot; ..\dotfuscator_config.xml" />
</Target>
```

Conclusion

You now have an idea of what's possible with Dotfuscator CE in the cloud. You can use the VSTS build extension to easily protect your application from reverse engineering, tampering, and unauthorized debugging.

Dotfuscator Community Edition is free for experimental and non-commercial use. For commercial use, Dotfuscator Professional Edition offers advanced obfuscation and code protection capabilities, and also can be run in distributed build environments. You can try Dotfuscator Professional Edition for free, with support, by signing up for an evaluation.

Keeping Secrets: The Evolving Expectation of App Defense

Applications drive corporate success. As noted by Business 2 Community, the average American smartphone owner uses more than 10 apps per day and spends over three hours per day connected to the Internet via their mobile device. The problem? Rapidly-expanding app markets combined with easy-to-find hacker kits make the current environment a cybercriminal’s paradise — according to recent Ponemon data, the average cost of a data breach is around $3.62 million and the size of breaches is trending up. It gets worse: According to Gartner, 99 percent of app vulnerabilities exploited won’t rely on new, sophisticated attack vectors, but existing vulnerabilities that infosec pros have seen in the wild for at least a year.

The Six Degrees of Application Risk

Cyber-attacks, evolving privacy and intellectual property legislation, and ever-increasing regulatory obligations are now simply “the new normal” – and the implications for development organizations are unavoidable; application risk management principles must be incorporated into every phase of the development lifecycle.

Organizations want to work smart – not be naïve – or paranoid. Application risk management is about getting this balance right. How much security is enough? Are you even protecting the right things?

PreEmptive Thoughts from Build 2017

Like so many of us returning from Build 2017, we at PreEmptive are feeling both energized and highly motivated. Energized because of the truly impressive innovation coming out of both Microsoft and our larger ecosystem – and motivated because we can all see the expanding concern around application risk management and data security in this rapidly evolving world – and of course, that is where PreEmptive Solutions comes in.

Automating Xamarin Protection with Dotfuscator

This week, all eyes of the software community will be fixed on Microsoft's Build conference. Microsoft and its partners are set to announce new technologies and lay out their vision for the future of software development. Recent years have seen the narrative take a decidedly cross-platform approach. Visual Studio Code gives developers tools to create what they want no matter their OS of choice. .NET Core extends the reach of the popular .NET Framework to Mac and Linux. Finally, Xamarin, which was acquired by Microsoft in 2016, lets app developers write their app once, then publish it for Android, iOS, and Windows devices.

As a Visual Studio 2017 Premier Launch Partner, PreEmptive Solutions is pleased to announce, as part of Microsoft Build 2017, a new way to integrate Dotfuscator's protection into Xamarin apps.

Like magicians, hackers do not reveal their tricks – but we will

According to NIST’s National Vulnerability Database, six vulnerability categories have grown from 68% to over 84% of the total number of reported vulnerabilities in just the past four years.

Building in the Cloud with Dotfuscator Community Edition

Setup the Local Sample Project

Setup your Local Environment

Push to VSTS

Create a Build and Add the Dotfuscator CE Extension

Other Scenarios

Conclusion

Keeping Secrets: The Evolving Expectation of App Defense

The Six Degrees of Application Risk

PreEmptive Thoughts from Build 2017

Automating Xamarin Protection with Dotfuscator

Like magicians, hackers do not reveal their tricks – but we will

Latest Blog Posts

Keeping Secrets: The Evolving Expectation of App Defense

The Six Degrees of Application Risk

PreEmptive Thoughts from Build 2017

Automating Xamarin Protection with Dotfuscator

Like magicians, hackers do not reveal their tricks – but we will

Latest News

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

DashO 8.0 for Java and Android Ships with Advanced Real-time Application and Data Controls

Dotfuscator® Community Edition Expanded to Include Advanced Application and Data Protection Controls

SD Times: Coders are from Mars, courts are from Venus

PreEmptive Solutions Updates and Expands Community Edition of Dotfuscator inside Visual Studio

Twitter