Protect .NET code for Web Applications RRS feed

  • Question

  • Hi

    I'm looking for a guidance on how to protect our code against tampering and reverse engineering etc. What is the best tools on the market? I is considering DeployLX CodeVeil and .NET Reactor. Any thoughts on that?

    What is the necessary steps to take source code from pure sourcecode to protected code? Is there big difference on Web applications and WinForm applications? What about Strong Name signing?

    Monday, November 9, 2009 12:44 PM


All replies

  • You have to use obfuscators to protect your code / for all of your above requirements.

    Visual studio has a built in community edition obfuscator called dotfuscator.

    License and support information for the Dotfuscator tool for Visual Studio 2005 or for Visual Studio .NET 2003:


    Other Obfuscators

    Monday, November 9, 2009 4:40 PM
  • Obfuscators are great, but if you're releasing a web application, and not a Windows application, there's really not a reason to obfuscate.  Just make sure your servers are physically secure, and you should be fine.
    Coding Light - Illuminated Ideas and Algorithms in Software
    Coding Light WikiLinkedInForumsBrowser
    Monday, November 9, 2009 4:53 PM
  • The Obfuscator that comes with Visual Studio is just a simple thing that rename methodname, classname etc. to get the code a bit more difficult to reverse engineer, right? That may be enough for us, but what is the best tool on the market? Any experience to share?

    I'm going to protect our web applications sourcecode because it will be installed on other servers than our own. Our customers and partners, well some of them, will need to have it installed on their own servers. Thats why I want to protect the code.

    What about signing the code? Do you first obfuscate and then sign? Then the code will run on any server? Does it have to be installed in GAC? I like to have the web application dlls in the web-folder they belong and just x-copy over new versions when needed. Thoughts?
    Tuesday, November 10, 2009 8:11 AM
  • Hi,
    As David said, Obfuscator is good enough for mostly scenarios, if it still unacceptable, you may need to write your core source code in native languages.

    Please remember to mark helpful replies as answers and unmark them if they provide no help.
    Tuesday, November 17, 2009 2:46 AM
  • Hi again

    I think you're not answering my last question good enough. I'm looking for a receipt for best practice here.

    1) If I obfuscate my code on my developer PC will it easily run on a hosted server?
    2) Do I have to install the DLLs in GAC? I usually have them all in the applications BIN folder. And like that because the ease of xcopy deployment when uprading.
    3) Do signing of the code make any difference when hosting on other servers?
    4) First I obfuscate then sign right?

    PS! See also my two previous post to get the whole picture.

    Hope this makes it easier to answer :-)

    Thanks again
    Tuesday, November 17, 2009 7:53 AM
  • 1) It should run just fine. Why would you think otherwise? Did you try it? (That's the easiest thing how to find out your answer ...)
    2) You don't have to install the DLLs into GAC just becuase the DLLs are obfuscated.
    3) That is not obfuscation related question - Signing should have not impact on hosting your app on other servers. It should be the same as if you run your app on local PC.
    4) Yes, first obfuscate, then sign.

    Thursday, November 19, 2009 8:02 PM