Is it legal to use Reflector to analyze binaries when the owner forbids a viewing of the source?

Question

I've been commissioned to perform a review of an application.

• Company A buys software from Company B.
• The software crashes often and is not performant.
• Company A hires me to review software and to inform them if the software is sound.
• Company B forbids me from viewing (or having access to) their source code citing that they own the intellectual property.

Since this application runs in .NET, would using Reflector to reverse engineer the software be wrong? Any findings I make will be made public to both Company A and B.

Answer 1

You can use Reflector to view the code. But not to recreate or reverse engineer it.

So with that knowledge in hand, viewing the public API should be enough to write some unit tests, to proof how broken the software is.

With failing unit tests in hand, you can approach the maker of the software and require they fix the bugs or ask for a refund.

Failing that, make some noise on the internet :)

Answer 2

Is using Reflector wrong in this case?

It depends on what you mean by "wrong". Ethically I think you're on perfectly solid ground: company A has asked you to perform a job, and you intend to do it in such a way that preserves company B's desire not to reveal the source code. As long as you don't try to reverse engineer or otherwise recreate a copy of B's software, there's no ethical quandaries here.

As to whether it's illegal or if you're opening yourself up to a lawsuit, only an attorney can answer that. Still, if B thinks you've cost them business (for example by disclosing a result unfavorable to them), expect to hear some ruckus.

Answer 3

What does the license say? Some licenses forbid the disassembly or reverse engineering of the code. If the license forbids this then it would be wrong, in a legal sense, to do so. I think I would take the tack of trying to get approved source access, perhaps under some sort of non-disclosure that would not prevent you from letting Company A know your evaluation.

Answer 4

The EULA should clearly state if reverse engineering the application or it's bytecode in any way is permitted or not. Without explicit consent from the copyright holder this would falls on the dark side of gray.

Answer 5

These are issues of contract and IP law. Company A needs to indemnify you--you are working for them, so you need them to tell you how to proceed. They will consult a lawyer if they're smart.

In any case, don't do anything further unless you have WRITTEN instructions from Company A.

Further issues: What is your legal relationship to Company A? If you're a contractor, then you're in a different legal situation than if you're a regular employee. Odds are that Company A would be a much more interesting (wealthy) target for a future lawsuit than you, but do you want to be a named defendant? Remember that the situation is already unfriendly since Company A is so displeased with the product of Company B that they've already taken the time and money to hire you....

Larry ps. This is not legal advice.

Answer 6

Consult a lawyer! Legal advice taken from strange people on a website does not constitute any form of defence when you're up on a computer misuse charge.

You might be lucky and SA doesn't have computer reverse-engineering, copyright and Intellectual property laws... but I'd guess on the safe side that they do. :)

I'd get company A to sort it out for you, its their software. All you can do in the meantime is black-box test it to prove the flaws (ie demonstrate crashing). If you do reverse-engineer it, make sure you don't tell anyone nor use that information you glean as anything other than a means to help you do the black-box testing (ie as if you never knew, and just stumbled across the secrets).

Answer 7

I'm surprised no one has mentioned obfuscation. Sounds like a silly question, but have you checked if you can view it in Reflector? It might be obfuscated.