As Mobile Developers, our customers expect us to deliver mobile applications that are not only rich in content but are also secured enough to protect their data privacy. In today’s article I am going to show you how to compromise an APK file using ILSPY application and the corresponding steps to counteract the reverse engineering of APK file through integration of Pre-Emptive’s Dotfuscator library.
We will use ILSPY in order to decompile back the .NET DLL libraries that can be found on the APK package of Xamarin Android. First let’s create a simple Xamarin Project targeting the Android Application as shown in Figure 1.
Now will try to create a package in Release mode the APK file by Archiving it as Shown in Figure 2.
Now, let’s download the ILSPY from this link. Extract the files and execute the ILSPY.exe and this should be your starting window as shown in Figure 3.
Let’s try to navigate to the newly created APK file as shown below Figure 4.
You can use any Decompression tool (e.g. Winrar, Zip) to decompress the APK file as shown in Figure 5.
Let’s try to open the DLL files extracted from the APK package that was archived from the previous steps as shown in Figure 6.
Imagine if this is a full blown application that was released in production, hackers can easily see the source code and get sensitive information like Constants, debug information, URLs or API Endpoints.
What is Obfuscation ?
So first things first, what is Obfuscate? It is just simply making the source code more unclear or unreadable to human. Its objective is to hide the purpose of the modules and making it hard to tamper or reverse engineer.
Obfuscation using DotFuscator
Dotfuscator is a product of PreEmptive that makes .NET application more difficult to be reverse engineered, tampered and unauthorized debugging which includes Xamarin Forms. In this tutorial, we are going to use the Community edition of Dotfuscator. Let’s install the DotFuscator Community edition by downloading through the Visual Studio Installer as seen in Figure 6.
After successful installation, launch Visual Studio again and verify under Tools Menu there should be the PreEmptive Dotfuscator as shown in Figure 7.
Upon launching the Dotfuscator UI, you will need to accept the license and agreements as shown in Figure 8.
You also need to Activate it using a valid Email as shown in Figure 9.
After successful Registration and Activation of DotFuscator Community Edition, you will be greeted by the Main Menu as Shown in Figure 10. For now, we will not use the Menu and I will further discuss it in the next articles.
Integrating DotFuscator to Xamarin Project
First, we need to download the MSBuild Target file which was created by the DotFuscator Team for easy integration with your project. The “PreEmptive.Dotfuscator.Xamarin.targets” is also located in this sample project. Later, I will link the Repository so that you can Download and review the integration process. The MSBuild file should be imported in the Root directory of your application based on Figure 11.
Next is to modify the CSProject of the Target Platform which in our case if our Android Project. First, decide which build you will apply the Obfuscation during Debug Build or Release Build. Once decided, add this lines under that build so that we can integrate Dotfuscator on the selected platform as shown Figure 12.
Let me explain each added tags:
<DotfuscatorXamarinCliPath> – contains the Path for the Dotfuscator CLI which is responsible for the Obfuscation process.
<DotfuscatorXamarinConfigFileName> – contains the Filename for the config file on how the project will be protected.
<DotfuscatorXamarinGenerateNewConfigFile> – this is set to true for the very first build of Dotfuscator integration so that it will generate the Config file.
<DotfuscatorXamarinEnable> – this is set to true to enable the integration with Dotfuscator.
Building the Project
Once you’ve added those tags try to build the project. In this sample, Android and all libraries referenced will be obfuscated as shown in figure 13.
Community And Professional Edition
I would like to just stress the different services or features that the Community has versus the Professional edition based on their site.
“In Community Edition, internal types, private fields, and local variables will no longer have their original names, removing semantic information about your code.”
“In Professional Edition, all the protection of Community Edition applies, and control flow will also be jumbled, making the logic difficult to follow.”
With that in mind the community edition is just like the Tip of the Iceberg when it comes to Obfuscation with Professional Edition. Depending on your security assessment you can either settle with Community edition or avail the Professional Edition.
To wrap things up, we discussed the usage of ILSPY in decompiling the DLLs of APK file which can be easily accessed and read by any person with Malicious intent which in a way can harm customers/audience. We also integrated Dotfuscator with our Android Project in order to apply the obfuscation in our DLLs to prevent Tampering or Reverse engineering. Here is the link for the Sample Project.
In the next article, I will discuss on how to check if the Android device is rooted or not so that you can make countermeasures when rooted device access your mobile application. This will still use PreEmptive Dotfuscator.
Happy Coding 🙂