How to secure an API written in .Net

Question

This is a variation on an existing question in SO about securing/obfuscating .Net applications in general.

I'm developing an API in C# that includes some algorithms I'm keen to protect. I understand no method will be perfect, but what's the generally accepted method for doing this?

I'd like my clients to be able to code against the API but I don't want them to reverse engineer what's inside (at least I don't want to make it easy for them).

If I obfuscate the code, won't that also obfuscate the API?

We're looking at smartAssembly any thoughts comments on the product would be appreciated.

Answer 1

A good code obfuscator will take a lis tof exceptions to not obfuscate and IN GENERAL have a switch to ONLY obfuscate implementation details and not touch the public API (classes, properties etc.). So, if you coded right (facade public, all implementation details non-public) it should do a good job.

Answer 2

This may not be an option for you, but consider protecting the algorithms by never handing them out. Can you provide the processing through a webservice, .asmx or WCF?

AFAIK, there is no absolutely perfect way to protect your code but obfuscation and encryption can make it more difficult than it's worth to reverse-engineer.

Answer 3

Obfuscate it. Obfuscation tools don't obfuscate the public API as that would break external code that depends on it.

Answer 4

You mentioned smartAssembly. There is also Dotnetreactor, Dotfuscator and an open source obfuscator: sharpobfuscator.