views:

697

answers:

6

I am wondering any efficient way to hide our Silverlight code. I know there are some obfuscators available but it looks like people can hack that too. Anybody have any success on this front?

+2  A: 

No. The client browser must be able to read the code, therefore it is hackable.

WolfmanDragon
+3  A: 

You really can't hide anything that gets transmitted to the client. If people want to figure it out, they will.

You need to put any proprietary code in your back-end where client machines can't get at it.

17 of 26
+4  A: 

Pragma No-Cache on the page hosting the silverlight application will prevent the the browser from caching the xap, instead it will read it by streaming from the web server. That will make it harder for peeps to get the xap. Obfuscation will make it harder still.

Also make sure the app is hosted in https, have authentication take place outside the main application. This way the xap stream is encoded on the way down.

Brian Leahy
but the attacker will get the xap using Firebug, caching and Https enabled or not. He won't even see your efforts, won't he?
Maupertuis
+1  A: 

Hi,

Here is a short article on how to obfuscate a xap file

http://www.rudigrobler.net/Blog/obfuscating-silverlight

rudigrobler
A: 

You cannot hide (at least not non-trivially) XAP files. But you can obfuscate them. Obfuscation is not a definitive answer, but its a start and can give pretty good protection.

logicnp
A: 

You could complicate the potential hacker's job by downloading obfuscated fragments of your app during execution, using MEF for instance. Needless to say that it's interesting if your application is big enough so that this astuce speed up startup time rather than hindering the user's experience.

It won't prevent a valorous hacker from getting your code (in the hand no method can prevent this, as the Silverlight plugin must be able to execute it), but the astuce will complicate his task greatly.

preventing the browser from caching the XAP is useless, like using HTTPS, as it's far easier for the attacker to use something as complicated as firebug to get the XAP than looking for it in the browser cache or using a Man in the Middle Attack.

I imagine that if you had lot of motivation, you could:

  • obfuscate every assemblies
  • use dynamic loaded XAPs
  • encrypt the dynamic loaded XAP serverside and decrypt it client side using a dynamicly generated key sent by a webservice (Not in the same request. And don't reuse the key.)

It won't prevent the attacker from getting your code, but he will have to analyse your initial (obfuscated) xap to understand the decryption code, get the key, get the encrypted (obfuscated too) dynamic loaded XAP, decrypt it, then manage to unobfuscate it, then understand how it plugs itself in the application. It's not the same as using HTTPS, because here the encryption and decryption process is done in the application so that tools like firebug or fiddler become useless.

Hem. Nothing can prevent anyone from reading your code. BUT you can make it not worth his time. You don't have to use all the ideas here and I am sure that you can find others, but make sure that implementing such measures are worth your time too.

Either way, it was rather funny to write this :p

Maupertuis