views:

80

answers:

2

I have a situation where the client would like to have some minimal security for their source code. It is a web app and the host will be someone they will be partnering with. The worry is that it would be easy for the host to reverse engineer the code and setup shop on the side. I told them while it was not a real solution, obfuscating the code would make it more difficult.

My first problem: I can’t obfuscate strongly named assemblies. I believe I can skip obfuscating those assemblies while maintaining a link to non-obfuscated assemblies, but I’m not able to easily test that because of my second problem.

My second problem: I can’t obfuscate a web (code-behind) assembly because the link from the markup to their classes is broken as well as the methods that the markup page calls.

A: 

You can obfuscate strongly named assemblies just fine, as long as you have the keys you can resign them after obfuscation. With the free Community Edition of Dotfuscator you will need to manually resign the outputs, with the Professional edition it can automatically resign them with a strong name and/or Authenticode signatures as part of the obfuscation process.

You can also obfuscate code behind assemblies but you will need to ensure that you exclude any types referenced in the markup from renaming. Again, this is possible to do in both the Community Edition and the Professional edition by setting renaming exclusion rules (either literal matching or Regular Expression based) or by selecting individual types and members to be excluded from renaming. All of that is accessed in the Renaming section of the Dotfuscator user interface.

If you have an active support subscription and encounter any specific issues when obfuscating you can contact support directly from the PreEmptive web page or PreEmptive also hosts public forums where you can post specific questions.

Joe Kuemerle
A: 

You can use binding of events to control in code instead of in aspx file. Like in c# btnSave.Click += Save_Click and have `private void Save_Click(...).

you can also divide public/protected method code into small private methods which you can call from actual public/protected method and choose to obfuscate only private methods which will not break link from markup(i think it is library mode of obfuscation in Dotfuscator.)

This will allow you to achieve higher rate of obfuscation.

Morbia