tags:

views:

231

answers:

2
+1  Q: 

How can I protect/obfuscate/etc an ASP.NET MVC app's source code when deployed?

I have had good experiences recently developing with ASP.NET MVC and am considering whether or not to use it for a project coming up at work. One important consideration though: they sell source code licenses separately as a rule, and it's the kind of application we can't realistically tie to our own hosting without cutting off a large chunk of the potential market.

Is it possible to distribute an ASP.NET MVC application without source code? Or is there a fairly effective (obviously won't be foolproof but it's at least not a "steal me" welcome mat) and safe tool or method for obfuscating MVC applications? I tried a couple obfuscators that supposedly work with ASP.NET but they broke the application because of MVC's reliance on specific file/directory names.

+4  A: 

1) Don't bother. How likely is it really that someone will try to steal your code?

2) If you really must, I believe Crypto Obfuscator can obfuscate ASP.NET MVC.

Iain Galloway  2010-01-27 22:51:39
Yes, I find the assembly watermarking a particularly good feature. If somebody does find out a way to get it (an inevitability, to be sure), then this feature allows you to trace them if they subsequently redistribute it.
Dan Atkinson  2010-01-27 23:07:40
The issue isn't so much "stealing" source code. The application in question is the kind which will be licensed relatively cheap with the assumption that most clients will want it customised in some way and a lot of the costs of development can be recouped there.
FerretallicA  2010-01-28 00:32:37
@FerretallicA: Absolutely. I'm aware of the business model, but you didn't answer my question. How likely is it *really*? If I was your client, I'd pay you to customise your application (or for the source code) rather than mess around with decompiling/recompiling - particularly when that would be against my licence terms *anyway*. Your implication is that simply compiling your app and licensing it on the condition that the user doesn't modify it isn't enough. Is your target market really a market that would be prepared to violate their licence terms so blithely?
Iain Galloway  2010-01-28 09:49:57
I did answer your question as far as relevant. I'm not getting into a discussion about the relevance of securing code as it's missing the point entirely and in any event is going to be an almost entirely subjective discussion.
FerretallicA  2010-02-07 23:01:41
Fair enough. Did you try Crypto Obfuscator yet?
Iain Galloway  2010-02-08 09:02:40
A: 

Answer as posted by chobo in comments:

When you mean source code do you mean just like the controllers and models code? Or are you talking about everything including views? Since if your just worried about your cs code then you can just publish your application. That will make a .dll for all your controllers and model code. So they won't be able to look into the .dll and see the code that makes it work. View though won't be put in the .dll but anyone can just go to your site and get the html code by looking at view source.

It looks like you can't really do the same to Views but the controllers, model logic etc can all be distributed solely as a DLL and obfuscated with pretty much any .Net compatible obfuscator.

FerretallicA  2010-02-23 00:08:36
This is wrong - .NET dlls are compiled to their JIT bytecodes, which is trivial to disassemble and view through reflector. If you're really worried about clients stealing/modifying your source code, it needs to be obfuscated, as Iain mentioned.
Tanzelax  2010-02-23 00:14:07
1) If you really want, you *can* put views into a dll. See e.g. http://stackoverflow.com/questions/236972/using-virtualpathprovider-to-load-asp-net-mvc-views-from-dlls 2) Since ASP.NET MVC relies on method names at runtime to perform routing, in my experience most .NET obfuscators can cause problems.
Iain Galloway  2010-02-23 08:46:41

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps