Obfuscating Xamarin Forms (Android) using Dotfuscator

As Mobile Developers, our customers expect us to deliver mobile applications that are not only rich in content but are also secured enough to protect their data privacy.  In today’s article I am going to show you how to compromise an APK file using ILSPY application and the corresponding steps to counteract the reverse engineering of APK file through integration of Pre-Emptive’s Dotfuscator library.

header.png
Image credit to PreEmptive Protection

Using ILSPY

We will use ILSPY in order to decompile back the .NET DLL libraries that can be found on the APK package of Xamarin Android. First let’s create a simple Xamarin Project targeting the Android Application as shown in Figure 1.

SampleProject.PNG
Figure 1. Simple Hello Xamarin Android Application.

Now will try to create a package in Release mode the APK file by Archiving it as Shown in Figure 2.

Archiving.PNG
Figure 2. Archiving of our Android Project.

Now, let’s download the ILSPY from this link. Extract the files and execute the ILSPY.exe and this should be your starting window as shown in Figure 3.

ILSPYMain.PNG
Figure 3. ILSpy user interface.

Let’s try to navigate to the newly created APK file as shown below Figure 4.

NavigateToAPK.PNG
Figure 4. Navigating through the archived APK Package.

You can use any Decompression tool (e.g. Winrar, Zip) to decompress the APK file as shown in Figure 5.

Unzip.PNG
Figure 5. Unzipping of APK File.

Let’s try to open the DLL files extracted from the APK package that was archived from the previous steps as shown in Figure 6.

Decompiled.PNG
Figure 6. Decompiled DLL from the APK package.

Imagine if this is a full blown application that was released in production, hackers can easily see the source code and get sensitive information like Constants, debug information, URLs or API Endpoints.

What is Obfuscation ?

So first things first, what is Obfuscate? It is just simply making the source code more unclear or unreadable to human. Its objective is to hide the purpose of the modules and making it hard to tamper or reverse engineer.

HareObfuscation.png
Image credits to ITHare.com

Obfuscation using DotFuscator

Dotfuscator is a product of PreEmptive that makes .NET application more difficult to be reverse engineered, tampered and unauthorized debugging which includes Xamarin Forms. In this tutorial, we are going to use the Community edition of Dotfuscator. Let’s install the DotFuscator Community edition by downloading through the Visual Studio Installer as seen in Figure 6.

DotfuscatorInstallation.PNG
Figure 6. Installing Dotfuscator for Visual Studio 2017

After successful installation, launch Visual Studio again and verify under Tools Menu there should be the PreEmptive Dotfuscator as shown in Figure 7.

ToolsMenu.PNG
Figure 7. Successful installation of Dotfuscator.

Upon launching the Dotfuscator UI, you will need to accept the license and agreements as shown in Figure 8.

LicenseAndAgreementDotfuscator.PNG
Figure 8. License and Agreement for DotFuscator.

You also need to Activate it using a valid Email as shown in Figure 9.

Registration.PNG
Figure 9. Registration

After successful Registration and Activation of DotFuscator Community Edition, you will be greeted by the Main Menu as Shown in Figure 10. For now, we will not use the Menu and I will further discuss it in the next articles.

DotFuscatorMainMenu.PNG
Figure 10. Main Menu of DotFuscator Community Edition.

Integrating DotFuscator to Xamarin Project

First, we need to download the MSBuild Target file which was created by the DotFuscator Team for easy integration with your project. The “PreEmptive.Dotfuscator.Xamarin.targets” is also located in this sample project. Later, I will link the Repository so that you can Download and review the integration process. The MSBuild file should be imported in the Root directory of your application based on Figure 11.

MSBuildFile
Figure 11. MSBuild File should be placed in the Root folder of the solution.

Next is to modify the CSProject of the Target Platform which in our case if our Android Project. First, decide which build you will apply the Obfuscation during Debug Build or Release Build. Once decided, add this lines under that build so that we can integrate Dotfuscator on the selected platform as shown Figure 12.

DotfuscatorTags.PNG
Figure 12. Dotfuscator Tags needed for integration.

Let me explain each added tags:

<DotfuscatorXamarinCliPath> – contains the Path for the Dotfuscator CLI which is responsible for the Obfuscation process.

<DotfuscatorXamarinConfigFileName> – contains the Filename for the config file on how the project will be protected.

<DotfuscatorXamarinGenerateNewConfigFile> – this is set to true for the very first build of Dotfuscator integration so that it will generate the Config file.

<DotfuscatorXamarinEnable> – this is set to true to enable the integration with Dotfuscator.

Building the Project

Once you’ve added those tags try to build the project. In this sample, Android and all libraries referenced will be obfuscated as shown in figure 13.

Obscured.PNG
Figure 13. The before and after of Obfuscation.

Community And Professional Edition

I would like to just stress the different services or features that the Community has versus the Professional edition based on their site.

“In Community Edition, internal types, private fields, and local variables will no longer have their original names, removing semantic information about your code.”

“In Professional Edition, all the protection of Community Edition applies, and control flow will also be jumbled, making the logic difficult to follow.”

With that in mind the community edition is just like the Tip of the Iceberg when it comes to Obfuscation with Professional Edition. Depending on your security assessment you can either settle with Community edition or avail the Professional Edition.

Conclusion

To wrap things up, we discussed the usage of ILSPY in decompiling the DLLs of APK file which can be easily accessed and read by any person with Malicious intent which in a way can harm customers/audience. We also integrated Dotfuscator with our Android Project in order to apply the obfuscation in our DLLs to prevent Tampering or Reverse engineering. Here is the link for the Sample Project.

In the next article, I will discuss on how to check if the Android device is rooted or not so that you can make countermeasures when rooted device access your mobile application. This will still use PreEmptive Dotfuscator.

Happy Coding 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s