ClickOnce is a popular way to deploy and keep applications up to date without a lot of hassle. These applications are downloaded to the end user’s machine after being published to the server, which means they can easily be decompiled and reverse engineered like other .NET applications.
Protecting an application that is deployed via ClickOnce is usually very complicated. After protection, the application and deployment manifests must be manually updated using the Mage tool. Signing of manifests and assembly files must be done manually, as well.
With Dotfuscator, we’ve worked to make this process much simpler.
Consider this Example
In 4x versions, Dotfuscator accepted the ClickOnce .application as direct input. It would re-generate the obfuscated assemblies along with the updated .application package. The updated deployment manifest and protected binaries would then be copied to the ClickOnce deployment server to be downloaded by the end-user.
Starting with version 6, we’ve made this process even easier. We just have to integrate Dotfuscator into our application’s project file (.csproj, .vbproj).
Doing so triggers Dotfuscator to run before packaging steps of our Release build. Protected binaries are then automatically packaged for deployment. No additional steps required.
We’ve worked with customers that deploy through ClickOnce, and also create an installer for offline installs. This process allows us to do both without any additional steps.
A simple ClickOnce project with Dotfuscator integration can be downloaded here. A release publish of this project generates obfuscated binaries. Double-clicking the .application manifest simulates a download and install of the ClickOnce application on the client’s machine.
If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.
In this blog we will dive into Dotfuscator as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects.
For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:
What is Dotfuscator for .NET?
Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft.
How does Dotfuscator work?
PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.
First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code.
Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming.
Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese!
Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found.
For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich!
When should you use Dotfuscator?
Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.
Where does Dotfuscator work?
Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.
Why should you use PreEmptive Dotfuscator?
PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here!
For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!