1

I have ASP.Net Core 1.0.1 project in which I need some strings hidden. The strings are private static fields. Obfuscar 2.2.3 is meant to hide strings by default, but it doesn't. I also tried this config with explicit values:

<Var name="HideStrings" value="true" />
<ForceStringHiding type="MyNamespase" />

But strings are still visible via dotPeek.

Maybe I misunderstood something? How can I get my strings hidden?

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Slip
  • 593
  • 1
  • 7
  • 21
  • String hiding has been disabled completely in 2.2.3 release, https://github.com/lextm/obfuscar/commit/f364a38d511e9b77fd875dee5acb54e57cbe1c45 As the answer below indicates, the process is reversible so never use it to hide any secret information. You should rely on other Windows/OS mechanism to store confidential data. – Lex Li Feb 03 '17 at 09:39

1 Answers1

3

You can't "reliably hide" anything "inside app/library" while your app need to be able to "decrypt" it to original.

Any "secret algorithm" you invent is useless because all that needed to "decrypt" it is contained inside app (otherwise your app itself will not be able to "decrypt"), so any bad guy who have access to your app exe/dll can "repeat" this steps and "decrypt" hidden value.

If you "trust" server/machine where your app is running and want to "hide" some string only from persons who can "copy" your app from some intermediate source (e.g., download your zip distrib from github repo) then you should use UserSecrets library or similar.

If you do not "trust" server where your app is running - you should change server/provider.

Dmitry
  • 16,110
  • 4
  • 61
  • 73