android.netxamarin.formsreverse-engineering.net-reflector

How successful is reverse engineering of an APK created using Xamarin?


I just renamed my app's APK created using Xamarin forms, and as expected the project's .dll can be decompiled to get the IL code using .NET decompilers.

I just wanna know how much this can affect my app's privacy and what are the best practices so that I can protect my app from such cases.

Note: App contains all WebApi's Endpoint in string format and all other stuff


Solution

  • Whatever you do to your code to hide trade secrets will just slow down determined person. When you publish your app to the store you gave up any secrets which you hardcoded into your application.

    I see you are concerned about API endpoints. I'm sorry to tell you but attacker will not even need to decompile your app to reconstruct API end points and protocols. It is easy to setup MITM server and intercept your supposedly encrypted traffic - it is much easier to intercept traffic instead of analysis of decompiled source code.

    You should be ready that adversary knows protocols and can simulate your app to make identical requests.

    If you think to call third party API from client app with API keys hardcoded into your client app then think again and move such calls to your server side.

    If you want to protect something which is realy confidential - move all such code to the server. If you API does not provide any information which should be strictly throtled then you should not care too much about obfuscation.