none
Piracy in XBAP and Silverlight

    Question

  • Hi,

    I am quite new to Silverlight (or I should say I have not still started!), and this question must be very basic: is piracy possible on silverlight and/or xbap?

    I am working on a project , and I may use silverlight or xbap for the GUI. My company is very concerned about users/hackers being able to access the application binary, reverse engineer it and get some logic. The application logic is mostly on the server and is accessed by WCF; but the GUI will still include some basic logic. Also, the GUI itself will include a lot of animation that make it valuable! I do not want to go towards obfuscation as I do not like it and I do not believe it works.

    Please provide some insight.

    Thanks

    Thursday, August 14, 2008 4:25 AM

Answers

  • As it's .NET you can disassemble dll or use reflector. Furthermore Silverlight is a client-side techno so client download the package as is, he can refind it easily (and so reflector it easily).

    You can use Silverlight Spy too. (http://silverlightspy.com/).

    So obfuscation is the best way.

    Thursday, August 14, 2008 4:34 AM
  • Obfuscation is not a definitive answer. It can still be reversed engineered.

    see this blog:

    The question remains.  How do you protect your secrets?  Usually the first answer to this question would be to obfuscate your Silverlight assemblies.  Obfuscation is a process for making it difficult to disassemble/read compiled code through the application of various algorithms.  For example, one algorithm would replace meaningful variable, method, and class names with random character strings.  While obfuscation does help "raise the bar" against casual snoopers, it will not stop determined individuals.  After all, obfuscated code is still valid, just ugly and more complicated.  If you are using obfuscation as the sole means to protecting the secrets of your application, you should not have a warm-fuzzy feeling about this.

    http://pagebrooks.com/archive/2008/07/19/protecting-secrets-in-your-silverlight-applications.aspx

    Concluding:

    In summary, Silverlight does not bring anything new to the table that should change how you view security.  These same problems existed before Silverlight and they will continue after Silverlight is released.  Currently, the best way to protect secrets in your Silverlight applications is to not store them at all.

    Thursday, August 14, 2008 5:13 AM

All replies

  • As it's .NET you can disassemble dll or use reflector. Furthermore Silverlight is a client-side techno so client download the package as is, he can refind it easily (and so reflector it easily).

    You can use Silverlight Spy too. (http://silverlightspy.com/).

    So obfuscation is the best way.

    Thursday, August 14, 2008 4:34 AM
  • Obfuscation is not a definitive answer. It can still be reversed engineered.

    see this blog:

    The question remains.  How do you protect your secrets?  Usually the first answer to this question would be to obfuscate your Silverlight assemblies.  Obfuscation is a process for making it difficult to disassemble/read compiled code through the application of various algorithms.  For example, one algorithm would replace meaningful variable, method, and class names with random character strings.  While obfuscation does help "raise the bar" against casual snoopers, it will not stop determined individuals.  After all, obfuscated code is still valid, just ugly and more complicated.  If you are using obfuscation as the sole means to protecting the secrets of your application, you should not have a warm-fuzzy feeling about this.

    http://pagebrooks.com/archive/2008/07/19/protecting-secrets-in-your-silverlight-applications.aspx

    Concluding:

    In summary, Silverlight does not bring anything new to the table that should change how you view security.  These same problems existed before Silverlight and they will continue after Silverlight is released.  Currently, the best way to protect secrets in your Silverlight applications is to not store them at all.

    Thursday, August 14, 2008 5:13 AM
  • <p>

    Honestly, I would think these technologies are server side (just because they run in browser)! and that is why I thought the binary may be inaccessible by users. Silverlight Spy proved otherwise Crying

    thanks

    </p>

    Thursday, August 14, 2008 6:43 PM
  • Its understandable that you have an aversion to obfuscation, but consider it a necessary evil. Obfuscators like Crypto Obfuscator are very workflow friendly - it can directly take your silverlight xap file and produce an obfuscated xap file. Sure, obfuscation is not the definitive answer but some protection is better than no protection.

    Monday, October 11, 2010 7:19 AM