Obfuscation Question

time to read 4 min | 752 words

The question is actually very short: Why?

I just saw an obfuscation package for .Net that goes for over 600$, and I'm not sure if that is per developer or not. I know that there is this belief that obfuscation will protect your IP, etc, but I fail to see the point in this endavor.

I can see several scenarios for wanting to obfuscate the code:

  • You are a component vendor and you don't want people ripping you work and using it elsewhere.
  • You ship a product out and fear that people will decompile your code, remove the registration routine and re-compile it.
  • Your code contains classified information or secret business logic.
  • You think that it is your code, and I have no business looking in there.

For the component developer:

What is valuable is not how you do that trick with triple buffering or custom event handling, or the Ajax capabilities, or whatever. What is important is that the whole component mesh well with the rest of the envionment and that it is easy to work with. If I got a problem in your component I will go into Reflector and try to find what is wrong. I will be seriously pissed off if I can't figure out that I should've prefixed a \ because the code is obfuscated. If someone is going to rip you off, obfuscation isn't going to help, if they need to take the whole thing as a black box, they will. And then were you are?

I'm going to use maybe 10% of the capabilities of what you give me, if I'm going to have to fight it, I'll rather just roll my own, it's simpler to do so and at least I can control what is going on.

For the obfuscation will make it harder to crack my product:

No, it won't. I can run your product under the profiler, find the path of calls that blocked me, and just return "true" from the IsLicensed() method. It's a lot of work, and in general, I have better things to do with my time than break products when I can just pay for them. That said, there is a certain class of people that enjoy this challange, and yet another section of humanity that uses their labor to use your labor without paying.

Obfuscation only make the game more interesting, and considerring that obfuscation doesn't change the meaning of the code, it all turns into a mental challange similar to this. At worst, they will just check the x86 assembly that is being JITed and see what you are doing in that level.

For the classified information / secret stuff in my code:

What are you doing giving away your confidential data to the users anyway? If it is really secret, then you should put it somewhere you control, and only let people access it if they are authorized. Putting the classified information in the client just means that A) they can access it if they need it and B) they likely to do so without you knowing so. If it is secret, you should keep it under lock. The moment it is in the hands of the users, it is only secret as long as no one tries to find it. If it is not really secret, than it's either #1 or #4.

For the guys that thinks that I shouldn't look at their code:

You code is not likely to be anything speical, sorry. I regulary goes over libraries I use with Reflector, it's a mini code review that I do, mostly to familiarize myself with the library and the options that I can use. Several times I rejected libraries because the way the structured their code, under the assumstion that if they did such a bad job in this, it's not going to be easy / fun to work with the API that exists, and the general quality of the code isn't going to be stellar (to say the least).