(Why) should I use obfuscation?

Question

It seems to me obfuscation is an idea that falls somewhere in the "security by obscurity" or "false sense of protection" camp. To protect intellectual property, there's copyright; to prevent security issues from being found, there's fixing those issues. In short, I regard it as a technical solution to a social problem. Those almost never work.

However, I seem to be the only one in our dev team to feel that way, so I'm either wrong, or just need convincing arguments. Our product uses .NET, and one dev suggested .NET Reactor (which, incidentally, was suggested in this SO thread as well).

.NET Reactor completely stops any decompiling by mixing any pure .NET assembly (written in C#, VB.NET, Delphi.NET, J#, MSIL...) with native machine code.

So, basically, you throw all advantages of bytecode away in one go?

Are there good engineering benefits to obfuscation?

Answer 1

If you stick to pure managed code obfuscation, you can shave off quite a bit of an assembly size, and obfuscated classes/function names (collapsed to single letters) mean smaller memory footprint. This is almost always negligible, but does have an impact (and is used) on some mobile/embedded devices (though mostly in java).

Answer 2

One potential engineering benefit is that in some cases obfuscation can create smaller executables or other artifacts -- e.g. obfuscating javascript results in smaller files (because all of the variables are named "a" and "b" instead of "descriptiveNameOne" and all the whitespace is stripped, etc). This results in faster load times for the web pages that use obfuscated javascript. Obviously this doesn't apply (as much) in the .NET world, but it's an example of a situation in which there is an direct engineering benefit.

Answer 3

If a big team of programmers really want to get at your source code and that had the time, money and effort, then they would be successful.

Obfuscation, therefore, should stop people who don't have the time, money or effort to get your source, passers by you might call them.

Answer 4

While not related to .net, I would consider obfuscation in Javascript, and possibly other interpeted languages. Javascript benefits well from obfuscation because it reduces the bandwith needed, and the tokens the parser has to read.

But obfuscating compiled bytecode doesn't really seem that usefull to me. I mean what would you try and achieve? I can only see obfuscation beeing slightly usefull in license checking code to avoid it beeing circumvented too easily.

Answer 5

The main reason to use obfuscation is to protect intellectual property as you have indicated. It is generally much more cost effective to a business to purchase an obfuscation product like .NET Reactor than it is to try and legally enforce your copyrights.

Obfuscation can also provide other more incidental benefits such as performance improvements and assembly size reduction. These would the engineering benefits you are looking for.

Answer 6

@skolima, John, Staale: That's true, and I do apply that kind of code minimization (using YUI Compressor) when deploying JS code, as any kilobyte can make a difference there.

However, for this project, our own assemblies' sizes are negligible compared to that of third-party dependencies, so the difference wouldn't be noticed.

Answer 7

You asked for engineering reasons, so this is not strictly speaking an answer to the question. But I think it's a valid clarification.

As you say, obfuscation is intended to address a social problem. And social (or business) problems, unlike technical ones, rarely have a complete solution. There are only degrees of success in addressing or minimising the problem.

In this case, obfuscation will raise the barriers to someone decompiling and stealing your code. It will discourage casual attacks and, through inertia, may make your intellectual property less likely to be stolen. To make a tiresome analogy, an immobiliser doesn't prevent your car being stolen, but it will make it less likely.

Of course there is a cost, in maintainability, (possibly) in performance and most importantly in making it harder for users to accurately submit bug reports.

As GateKiller said, obfuscation won't prevent a determined team from decompiling, but (and it depends what your product is) how determined a team is likely to be attacking you?

So, this is not a technical solution to a social problem, it's a technical decision which adds one influence to a complex social structure.

Answer 8

Use encryption to protect information on the way.

Use obfuscation to protect information while your program still has it.

Answer 9

Hi Soeren,

I posted a question which might help you as it discusses some of the issues: should-i-be-worried-about-obfuscating-my-net-code

Answer 10

@John Sibly: thanks for the link. The accepted answer over there matches my feelings, so I'm at least not alone. :)