JSON is a widely used format for sharing objects and data within an application. To protect .NET applications that serialize and deserialize JSON objects, you should be aware of some special considerations.
Consider a basic Employee class:
When serialized to JSON, the object is stored as a string.
If written to the console at this point, the “JSON” string would look like this:
{"FirstName":"Jane","LastName":"Doe","Email":"jd@example.com"}
Please note the original names of the properties printed in the JSON string: FirstName, LastName, and Email.
The object is deserialized into a .NET class in another part of the application.
The deserialization mechanism relies upon the original property names to pair its data, but Dotfuscator will rename those property names by default. To ensure the deserialization works correctly, I need to tell Dotfuscator not to do that by excluding the FirstName, LastName, and Email properties on the Dotfuscator Rename tab.
Now, I can ensure the correct output:Deserialized: Jane Doe jd@example.com
I’ve presented one scenario related to JSON serialization and deserialization. Although there are different ways to serialize and deserialize JSON objects, the underlying concepts are the same regarding obfuscation: if a property name is compared to a string representation of that property, a rename exclusion is likely required in Dotfuscator.
You may download the full example here.
If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please contact us at support@preemptive.com.