I have recently attended a presentation where guy showed that .NET obfuscated code can be cracked. He suggested that a better way to get real security is by either encrypt an obfuscated assembly or even better have your intellectual property in an unmanaged assembly. The obvious drawback going with unmanaged assembly path is that assemly will be platform specific. Are there any advantages or disadvantages you see with above two approaches.
I have recently attended a presentation where guy showed that .NET obfuscated code can
Share
There are advantage and disadvantages to both models. But these will primarily depend on your specific threat model, which is where I suggest you start. Which groups of people present security threats to your product, and what are those threats?
In general, the advantage of using managed code is speed to market, but it’s more susceptible to certain attacks and IP theft. The advantage of using native code is that it’s less susceptible to certain attacks, but the speed to market is slower. These are very generic advantages and disadvantages that should be tuned based on your threat model.
EDIT to answer your comment. If you do have IP that you need to protect, I would (in the generic case) go for a native code executable rather than an encrypted obfuscated assembly. Native code is harder to crack open than encrypted obfuscated managed code, and the additional complications of encryption and obfuscation will add a significant amount of design and testing to your product.
EDITED again to point out that there’s another option: you can use a packer like MPress. This doesn’t have the performance and complexity implications of obfuscation and/or encryption, but still provides reasonable protection against IP theft by non-professional crackers. If you look at a packed .NET assembly with Reflector, you just see a single Main call.