3

Our development team just (mostly) finished an Android app using MonoDroid in Visual Studio. Because it has to do with banking, we wanted to try to obfuscate it in order to add some security against anyone trying to decompile it. Initially, I figured I could just use ProGuard, but there doesn't seem to be a project.properties file that I can edit in Visual Studio. Can anyone shine some glorious helping light on this subject and tell me if it is possible to use ProGuard with Mono and my newbishness is just clouding my vision?

(Another developer tried to use Dotfuscator -since we couldn't immediately find a way to use ProGuard- but it failed with numerous errors; the Mono runtime seems to give it issues.)

Luke
  • 648
  • 7
  • 15
  • I would think the monodroid team could answer this best? – Peterdk Jan 06 '12 at 21:41
  • I actually sent a support email their way a couple days ago, but I got no response. Thought I would give the subject one last try by asking here. – Luke Jan 06 '12 at 22:04
  • obfuscation wont really do anything to significantly defend your codebase. For one, the runtime has to reconstruct the cil in order to run it. If protection the rely on some portion of the code your application model is wrong. That said I can see you wanting to hide your intellectual property – IanNorton Jan 07 '12 at 07:41

1 Answers1

5

The Mono for Android toolchain doesn't have any support for running proguard at the moment.

However, with one broad exception, the lack of proguard support is largely moot. Proguard only runs on Java bytecode. The Mono for Android architecture has the Mono runtime running in the process; .NET CIL is not "compiled" into Java bytecode, the CIL is JITed by Mono. The only Java code running around is for Android Callable Wrappers, which allow Java/Android to call into managed code.

Thus the only thing proguard will protect in a Mono for Android app is the generated Android Callable Wrappers, which largely consists of a bunch of native method declarations. There won't be any business logic to decompile in the Android Callable Wrappers.

Instead, the CIL assemblies are stored uncompressed in the .apk file. The assemblies in turn can be decompiled to obtain all your business logic. The solution here is to obfuscate the assemblies before embedding them into the .apk. There are reports that Xenocode's Postbuild 2010 can be used, though I don't know any of the details on how to hook this up.

The exception mentioned above relates to any custom Java code included in the build proces via the AndroidJavaSource and AndroidJavaLibrary Build actions, which would be used to include such things as the AdMob library. For this scenario we should add proguard support to the build process, though I have no ETA on when proguard support will be added.

jonp
  • 13,512
  • 5
  • 45
  • 60