Safeguard Your Xamarin Apps From Threats With Dotfuscator

DZone 's Guide to

Safeguard Your Xamarin Apps From Threats With Dotfuscator

We take a look at how mobile application developers working with Xamarin can secure their apps with this free, and awesome, tool.

· Security Zone ·
Free Resource

Releasing an app is a bitter-sweet moment. On the one hand, there is the apparent accomplishment and joy of making your software available to the world, but once you release it – you lose absolute control over its use. Developers are often wary of the possibility of reverse engineering.

One way of protecting your app against reverse engineering is using obfuscation tools, which are available for many platforms and languages. Android developers, for instance, can use ProGuard to obfuscate and shrink Java code. Recently Xamarin developers have found the same protection across most mobile device families with the Dotfuscator tool. The community edition (CE) of Dotfuscator can be used with Visual Studio. Now let’s take a look at how you can protect your Xamarin app with obfuscation:

Image title

To do this, we will use PreEmptive Protection – Dotfuscator, an obfuscator, and protection tool that now also supports Xamarin. You will, of course, need your app to be developed using Visual Studio 2017 for Windows.

Step 1: Install and Set Up Dotfuscator

You will need to set up Dotfuscator on your machine, register your copy, and record the path to the command line interface.

Here’s how to set it up:

  1. Use the PreEmptive Solutions website and navigate to the Dotfuscator Downloads page.

  2. From here download the latest release of Dotfuscator Community Edition (CE) for Visual Studio 2017.

  3. Now run the VSIX file that you have downloaded and follow the set-up instructions.

  4. Next launch Visual Studio 2017 and go to Tools – PreEmptive Protection – Dotfuscator to start the Dotfuscator CE user interface. As explained earlier, your copy of Dotfuscator must be registered before you can use it. You will be prompted by Dotfuscator to log when you use it for the first time. You will need to register your copy of Dotfuscator before you can use the command line interface. Dotfuscator will ask you to register when you run it for the first time; follow these instructions.

  5. If you want to register later or find out your registration status, check the registration status text in the upper-right corner of the Dotfuscator webpage.

  6. The path to CLI is required to configure the build integration. You can find this path by navigating to the install directory for your installation of Visual Studio 2017. For example, the default install directory for Visual Studio 2017 Professional is:  C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional. Inside this directory, find the Dotfuscator Community Edition extension files in  *\Common7\IDE\Extensions\PreEmptiveSolutions\DotfuscatorCE. The dotfuscatorCLI.exe executable is the Dotfuscator Community Edition command line interface. Secure the absolute path to the executable for later use.

Step 2: Download the Build Integration File

The Dotfuscator team has created an MSBuild targets file to aid the integration process. This data can be referenced by your Xamarin projects. Download this here.

Now save the PreEmptive.Dotfuscator.Xamarin.Targets file to your application’s solution directory, adding it to your local source control.

Step 3: Editing the Project for Build Integration

To modify your project file for the Visual Studio project that you want to obfuscate:

  1. First, note the project build configurations that you want to guard. These are everything except Debug configurations. If you want more guidance on this, you can refer to the ‘Select What to Protect’ section of the documentation.

  2. Using a text editor, open your project file. For instance, a project file for C# would be `YourProjectName.csproj.'

  3. Make a note of the relative path from this file to the build integration file you have downloaded.

  4. Next, import the build integration file by adding the following command to the file, just before the </Project> tag: <Import Project="..\..\PreEmptive.Dotfuscator.Xamarin.targets" />. This will substitute the relative path that you had noted earlier, substituting the relative path noted in Step 3.

  5. Within the <PropertyGroup> tag and no Condition attribute, add the following tags:<DotfuscatorXamarinCliPath>C:\pathto\dotfuscatorCLI.exe</DotfuscatorXamarinCliPath>,replacing the absolute path to the Dotfuscator Community Edition CLI you had noted earlier:<DotfuscatorXamarinConfigFileName>DotfuscatorConfig.xml</DotfuscatorXamarinConfigFileName> and <DotfuscatorXamarinGenerateNewConfigFile>true</DotfuscatorXamarinGenerateNewConfigFile>.

  6. Similarly, for each build configuration noted previously, find the related <PropertyGroup> and add the following tag: <DotfuscatorXamarinEnabled>true</DotfuscatorXamarinEnabled>

  7. Once the last of the <ItemGroup> tags are added, add the following:<ItemGroup><None Include="DotfuscatorConfig.xml" /></ItemGroup>. Save your changes to the file and close it.

Step 4: Build the App

Finally, you can start building the app with Dotfuscator protection:

  1. Launch your project using Visual Studio 2017.

  2. Now choose the solution build configuration that exercises a project build configuration you want to protect.

  3. Build your project. Post the first build, ensure that the output shows the following lines regarding the Dotfuscator.

    Image title

  4. You will find the addition of a DotfuscatorConfig.XML file in your project. This data is the Dotfuscator config file, and it tells the program how to obfuscate the code. The recommended use is to check it into your source control.

  5. You will also see the new DotfuscatorReports directory in your project directory. This list contains the information about project obfuscation process including the details on reversing the process, and this information should be treated like build output and have the source control ignore it.

  6. Now you need to test the app, and if there are errors, further Dotfuscator configuration may be required to correct these mistakes.

  7. You can continue developing and building your app per usual. Whenever Dotfuscator is called in the build, the output will display the following:

    Image title


This post explains the benefits and procedure of obfuscating your apps using Dotfuscator. You can protect your Android, iOS, and UWP apps utilizing the process described here. If you need more information on protecting your Xamarin projects with the help of Dotfuscator, visit the Xamarin Dotfuscator User Guide. If you have any other queries or comments, please use the feedback section below.

mobile app development, mobile application security, security, xamarin

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}