Is it impossible to secure .net code (intellectual property) ?

Question

I used to work in JavaScript a lot and one thing that really bothered my employers was that the source code was too easy to steal. Even with obfuscation, nothing really helped, because we all knew that any competent developer would be able to read that code if they wanted to.

JS Scripts are one thing, but what about SOA projects that have millions invested in IP (Intellectual Property). I love .net, and especially C#, but I recently again had to answer the question "If we give this compiled program over to our clients, can their developers reverse engineer it?" I had gone out of my way to obfuscate the code, but I knew it wouldn't take that much for another determined C# developer to get at the code.

So I earnestly pose the question, is it impossible to secure .net code?

The considerations I have as as follows:

1. Even regular native executables can be reversed, but not every developer has the skill to be able to do this. Its a lot harder to disassemble a native executable than a .net assembly.
2. Obfuscation will only get you so far, but it does help a little.
3. Why have I never seen any public acknowledgement by Microsoft that anything written in .net is subject to relatively easy IP theft? Why have I never seen a scrap of counter measure training on any Microsoft site? Why does VS come with a community obfuscater as an optional component? Ok maybe I have just had my head in the sand here, but its not exactly high on most developers priority list.
4. Are there any plans to address my concerns in any future version of .net?

I'm not knocking .net, but I would like some realistic answers, thank you, question marked as subjective and community!

Answer 1

All code can be reverse engineered.

.NET lowers the bar for this (just try Reflector!), but obfuscation raises it back up again. A good obfuscator will raise the bar high enough to prevent all but a very dedicated, motivated person from reverse engineering your code.

That being said, I'd personally prefer to focus on quality. I run a small ISV, and we use .NET - obfuscation is important, but if you can deliver quality products, it really doesn't matter if somebody tries to reverse engineer your code.

Even, hypothetically, if they could reverse engineer everything, with a complex project, they'd be years behind in actually delivering something with a competitive advantage in the marketplace...

Answer 2

Any code can be reverse-engineered. Yes, it's easier in .NET or Java than in highly-optimized C++, but less so than in Javascript or PHP. Obfuscation goes a long way towards reducing the vulnerability, but the reality is that a determined reverse engineer is going to find your secrets once the code is in his hands, no matter what you've done to hide it. All you're doing is, at best, making it more of a nuisance for him.

Good obfuscation tools will stop the casual programmer whose expertise begins and ends at Reflector from really getting a sense of how your code works. Beyond that, anything you do is largely hopeless.

I don't see this changing anytime in the near future, because the features of .NET that make it so easy to reverse-engineer are the same features that allow for the powerful reflection and dynamism in the framework.