.NET Framework 2.0 Security Guidelines - Obfuscation

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe

Avoid storing secrets in code

Do not hard code sensitive information, such as connection strings, user credentials, and encryption keys. An attacker who has access to your assembly can access the sensitive information by examining the MSIL, by using a disassembler, or by using reflection.

If you must store secrets in code, use a strong obfuscator to make sure that the class or member of the class that stores the hard coded secret is obfuscated.

Consider using obfuscation to make intellectual property theft more difficult

Assemblies can be reverse engineered easily. This enables people to understand your program logic and how it has been implemented. If you are concerned about protecting your intellectual property, use obfuscation to make it much more difficult for anyone to reverse engineer your assembly and understand the program logic.

Use obfuscation tools, such as Dotfuscator Community Edition available with Visual Studio 2005. Do not rely on obfuscation for security, but use it to make it more difficult for anyone to access secrets stored in code or to reverse engineer your code.

Personal tools