I see in the preparing for application release notes:

https://docs.microsoft.com/en-us/xamarin/android/deploy-test/release-prep/index?tabs=windows#protect-the-application

https://docs.microsoft.com/en-us/xamarin/android/deploy-test/release-prep/index?tabs=windows#protect_app

It suggests that for a Android application that it might be wise to use to this product:

https://www.preemptive.com/products/dotfuscator/compare-editions

My question is, as the application was originally C# that's I assume converted to Java for the Android Phones, is there any reason to use products like this to obfuscate? Do people deploying Forms apps to Android normally use these products?

3 Answers

0
G.hakim On

Obfuscation is the practice of making something difficult to understand. Programming code is often obfuscated to protect intellectual property and prevent an attacker from reverse engineering a proprietary software program.

Personally, I do not believe in code obfuscation as that only delays the reverse-engineering and not stop it, a person who knows his stuff would be easily able to reverse engineer the code.

Usually, Android developers prefer using Progaurd(Won't help you!) for code obfuscation but there are other tools as well as you have mentioned above.

What I would personally suggest is you Setup Progaurd in your Project if it's Android native(Kotlin or Java) and that should do both Code obfuscation and reduce APK size. In Xamarin Android though you might wanna turn on AOT and configure DotFuscator(good documentation)

In case if you also want to reduce your app size you can check my blog

https://heartbeat.fritz.ai/reducing-the-app-size-in-xamarin-deep-dive-7ddc9cb12688?source=your_stories_page---------------------------.

0
Ivan Ičin On

Obfuscation won't have any effect on the end user, so it is far from necessary. However it may have effect on your app being reverse engineered and pirated.

It is hard to evaluate what is the proper level of protection for any individual product, you may find that it is better to spend that time and/or money elsewhere.

Unlike what G.hakim suggested, Proguard won't help you in obfuscating Xamarin projects, that works only for Java projects, which also means that your statement isn't right, Xamarin.Android is not converted to Java as it is a popular belief.

You may try to use Ahead of time (AOT) compilation as a mean to prevent decompiling instead of obfuscation, but it requires Visual Studio Enterprise edition.

You may read more on standard and AOT compilation here: https://xamarinhelp.com/xamarin-android-aot-works/

0
James Lavery On

It depends on how paranoid you are regarding your code. With un-obfuscated code, the steps to get the code back are quite straightforward with access to the APK file:

  1. Rename to .zip
  2. Unzip
  3. Access the DLLs (yes, they're still C# DLLs) in the zip
  4. Use ILSpy or similar to reverse-engineer the code.

The main risk is getting at secrets (API keys) etc. which are hard coded - this can be mitigated by storing them in files and loading them at runtime so they're no longer visible in the code.

Obfuscation just makes step 4 above harder and take longer. It doesn't stop a really determined person getting at the code.