Categories
Support Corner

Protecting VSTO Add-Ins

Reading Time: 2 minutes

Visual Studio Tools for Office (VSTO) have enabled .NET developers to extend the functionality of Office applications like Word, Outlook, and Excel since 2003.  VSTO Add-Ins are deployed directly to the end user’s machine and triggered when the Office application starts.  Because of this, VSTO Add-Ins can be easily decompiled and reverse engineered like other .NET applications. As many developers can attest, this is an easy access point for hackers to gain control of your applications.

Most application hardening techniques are quite cumbersome for VSTO Add-Ins.  After application hardening, the VSTO application manifest (.manifest) and deployment manifest (.vsto) must be manually created or updated using the Mage tool.  Signing of assembly and manifest files must be done separately as well. 

Protecting VSTO Add-Ins

Fortunately, protecting VSTO Add-Ins is made simple with PreEmptive’s Dotfuscator.  All we have to do is edit the project file (.csproj, .vbproj) to add tags that call Dotfuscator.

This will trigger Dotfuscator to run before packaging steps of our build, so protected binaries are automatically packaged for deployment.  This works whether we’ve created an installer or are using ClickOnce.  No additional steps are required and developers can implement it relatively easily.

Example of VSTO Add-In

A simple VSTO Add-In with Dotfuscator integration can be downloaded here.  A release build automatically generates obfuscated binaries, and double clicking the .vsto manifest installs the Word Add-In.

Although VSTO Add-Ins are being phased out in favor of the new Office Add-in, there are still several VSTO applications in production which could benefit from Dotfuscator’s simple integration. If you have questions on this or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department


Categories
101

PreEmptive 101

Reading Time: 3 minutes

In this blog we’ve established a 101 – of all things PreEmptive. Our goal is to help you comprehensively understand PreEmptive and our products in basic terms. This is a great piece of content to share with your team, decision makers or that pesky finance department that won’t give you extra budget for security tools.

For those of you who are in the industry and know what we offer, we appreciate the loyalty! If you are new to the industry and are not tech savvy, but want to know a little bit more about PreEmptive, check out our 5 W’s:

Who is PreEmptive?

PreEmptive is an Idera INC software company. We have been obfuscating and protecting applications since 1996, starting with DashO for Java then expanding over the last 20 years to our full range of solutions that you see today! Our core values are: to help organizations make their applications more resilient to hacking and tampering –  to protect intellectual property, to secure sensitive data, and enhance revenue. In other words, PreEmptive is the first line of defense for your code!

What is PreEmptive?

PreEmptive is a software security solution that helps you protect and secure your apps intelligently through a layered approach. Our multi-faeceted approach is applied to the binary code to provide: obfuscation, encryption, root detection, shielding and tamper detection with the end goal of making life difficult for hackers & bots. Let’s add some definitions, what is obfuscation? Obfuscation means making something unclear or obscure – it’s like a frosted window, it obscures your vision but does not prevent functionality. With code obfuscation the goal is to conceal the underlying code that enables the application to function, while ensuring effective functionality of the application 

How is this achieved? Our layered application hardening and shielding is directly infused into your .NET, Java, Android, JavaScript and iOS applications. Which means, we do not require changes to your end user’s computer/device or network to stay fully protected– the solution does the dirty work for you, securing the app against any vulnerabilities in your projects and jumbles up the code so that hackers can’t reverse engineer your proprietary information!

  • PreEmptive not only “scrambles” your source code, but also has the right mix of protection, response and security reporting features, allowing the user to better protect their projects and defending against the ever-evolving data, IP theft, fraud, brand damage and drastic revenue loss. 
  • PreEmptive offers 4 different types of protection: Dotfuscator, DashO, JSDefender, and PreEmptive Protection for iOS. Here’s the key differences:
    • Dotfuscator provides many layers of protection for .NET users with multiple forms of obfuscation (renaming, string encryption, watermarking, active runtime checks (tamper, debug, root, and more).
    • DashO is a security plugin for Android and Java users providing layers of protection by obfuscation (renaming, string encryption, resource encryption, and more).
    • JSDefender is for teams that use Javascript, securing their applications through in-app protection and code obfuscation. This tool helps teams to prevent code from being easily visible to anyone with access to a browser.
    • PreEmptive Protection (iOS) protects all Objective-C iOS applications, reducing the risk of piracy, intellectual property theft and tampering. (Don’t worry, if you’re feeling lost, we will dive into more in depth on each product in our upcoming blogs)

When should you use PreEmptive?

If you’re a start-up company that has blossomed overnight, a freelancer with multiple clients, or a large corporation who needs to enhance their security program, that’s when PreEmptive should come into play. With fair pricing based on your project needs, PreEmptive can be applicable for many organizations.. When writing any source code without protection, you are susceptible to damage and theft, which has long term financial implications. By using any of the PreEmptive products, your team will feel at ease instantaneously, knowing your code is secure even after deployment!

Where does this work?

PreEmptive is injected into your source code, but our operational playbook includes a bottom-up evaluation of security risks, vulnerability mitigation techniques, and post deployment protection to further reduce exposure.

Why should you use PreEmptive?

PreEmptive not only offers different packages based on your needs, but it has been the leading security system for over 17 years! We test, obscure and manage your vulnerabilities directly in your code, so if you feel worried about hackers or stressed about how secure your projects are, check out your options by visiting our main page!

For more information on how to get started or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has guided you to understand what it is we do. Be on the lookout for our upcoming 101’s! 

Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links