If you are reading this, you probably developed code in .NET 💻, but maybe you have never paid attention to the security it offers.
There is no doubt that .NET is an incredible language, and that it is increasingly broad and you can do more things, but security... let's say that is not its strong point 🙄.
Why isn't .NET safe ?
Basically any .NET framework (no matter if we talk about Xamarin, Blazor, ASP...) is compiled and transformed into IL code, then the CLR will compile it into native code and bla bla bla...🥱 I'm not here to talk in a technical way (unless you ask for a more complex article).
This code is decompiled the same way it is compiled, well, even easier 😌, that means that getting the clean and shiny 🌟 code of your application costs approximately, one click 🖱.
This might not be a "big problem" if we schedule everything perfect, but, here I include myself 🖐, we don't always do everything perfect.
So, what could happen if we don't protect our applications?
The combination between the fact that we are not perfect and that .NET is not safe, is not very good (for us I mean), for your attackers it is great 👿.
Quickly, it's quite simple that they can:
- Modify your applications.
- Steal or copy important code from your applications, such as exclusive functions or private methods of your company.
- Skip or alter security, license or login systems of your applications.
- Distribute unauthorized copies of your application.
- Access your servers, databases or obtain sensitive information about your users.
Obviously, much will depend on how our software is programmed, but getting into the habit of programming and including security systems is necessary for applications to be secure.
Is it really easy to see the code of an application ?
Well, let's suppose that this is something serious, as you see is an example, that asks us for a password to carry out an action:
There are many decompilers, for example DnSpy ➡
Simply by dragging the application (not even a click as I said before):
We can see the original code perfectly, well, modify it, crack it, study how it works, see the connections, databases, operation, algorithms... you know what I mean 😉.
So, should we protect our .NET applications ?
We should analyze well our software, its functions, its vulnerabilities, but I always recommend to protect (even minimally) everything related to our developments.
One last thing we could discuss 📢:
What about open source programming?
If our tool is free and the code is at a glance on some git platform. It would be weird to protect it, wouldn't it?
Well, it will depend on a few things, but here are some possible reasons why you might want to protect it.
☝ Contains sensitive information
It may be that the application is free but includes connections to databases, ftp accounts, or any other service that includes an api key in the code, then it must be protected.
✌ It's under your brand
I don't like to publish things under a brand that doesn't include security, even if it's something free, or an extension of something, someone could inject malicious code, or modify some connection to do phishing 🎣.
Then he can distribute the application under your brand, but having modified it.
🤟 Ensuring security for your users
There's not much to discuss here, it sounds better: "You're using software with up-to-date security methods and we guarantee the integrity of your system" than: "Check that the MD5 is the same and if it's not, burn your device. 🔥".
Well, I've gone too far here, but the concept is understood.
Thank you very much for reading it.
We could talk about many interesting things (which we will do if you ask), but I think we have talked about the basics of why we need to protect our .NET software.
Greetings to all, and don't forget to protect your software ! 😝
Top comments (10)
I'd disagree that .NET is unsafe because of decompilers. Practically every major compiled programming language has had a decompiler released by somebody.
By comparison, interpreted languages like javascript in the browser give users the full source code.
I'm really not sure what you mean when you talk about attackers skipping security and login systems. I guess you're talking about programs installed locally on a computer, and not an ASP.NET Web App.
Your example image showing the hardcoded password is not good practice and I can't see any commercial program doing this.
Most programs with a login system do not persistently store data locally. The user provides credentials which are authenticated by a server. The server should just forward sensitive data once the user has passed authentication/authorization.
Hi, Andy!
Yes, you're right, but I'm going to give you my opinion on several points.
I am not saying that the fact that it can be decompiled is the cause of all evil, but it obviously contributes negatively to security.
In the end, what determines the safety of something is not a specific point, but the sum of several.
The other languages have decompilers, it's true, but they also use solutions in the other languages, still I don't like to talk about the other languages, because I'll be honest, I'm a specialist in .NET security, I know other languages and their security, but I don't like to talk when I'm not 100% sure of something (like Java for example).
Languages interpreted as JavaScript, as you say, give the source code to the user, then no fool would make a connection to a database from JavaScript, obviously you can't, you must use some bridge that communicates with the database, but can you imagine that if you could put a connection to MySQL in JavaScript ? Well, in .NET it is done. It won't be a good practice, I give you all the reason, but we have many clients that do it.
Now, the difference between a desktop application and a web application
Here you are very right, it is not the same, as you say it is used to "crack" desktop applications. (Now I'll talk about security and login systems).
It is common for desktop (or Xamarin mobile) applications to be decompiled and altered so that they can be used for free or something like that. I'm sure you have or know someone who has Photoshop, but didn't buy it (even if it's not .NET, it's an example).
ASP .NET applications, we perceive them as if they were in an impenetrable magic capsule, but they are simply on a server, so it is another risk factor, the security of the server. I'm not a specialist in this, but I know people who are, and I can assure you first hand that if the security of the server is not strong, it doesn't cost so much to access it and get all the .DLLs of your ASP .NET application (which as I said before, it will connect to your database), in case they access your server, (which you should avoid with a good IDS, and a thousand other options for the security of the server where you host your application) I would rather they get my web application protected and with encrypted connections, than with the perfect code and at first sight.
My example: As I said it's a silly example, nobody puts an "if" in an application to validate a password, it's just an example. But it's to understand that the same way I can get the logic of this app, I could get it with any other one.
The login systems, you've explained it perfectly.
They work just as you mentioned, but we know business applications that don't work as well.
For you to understand my point of view, the security of an application or any software will depend almost entirely on how the application is programmed and designed at the security level. There's no point in having a vault door at home if you're missing a wall.
But once your house is well built, the fact of putting a vault door will reinforce the security of it, that is indisputable.
I've seen great security systems for login, validating everything in PHP, everything encrypted, and then returning the response to .NET, telling the user how many days they have left, or returning a "true" value if the credentials are valid, great.
Skipping those login systems was as simple as, "I don't care what you're returning, just keep going".
As I said, it all depends on how it is developed, it could be better or worse, but safety will always be an extra phase.
I hope I wasn't too heavy, and at no time did I offend you with anything, or anything like that. My aim is to help, to make people understand the importance of all this, and in this case to share opinions with you so that we can both learn from each other.
Your comment was very correct and argued everything studiously, thank you for your interest in our article.
Kind regards,
I can also disagree about .NET being unsafe, but I rather point out one point. In article you say: "but security... let's say that is not its strong point". I am not native English speaker, but I think that most of the people understand that statement that there are some vulnerabilities in .NET. And then in comment you said "I don't want to blame .NET for being insecure, I don't accuse it as a language with vulnerabilities or anything like that." So which one is true? Does .NET have security vulnerabilities or not?
Also saying that application is not secure, when it's not obfuscated is pretty "strong" statement. I think 99% of applications that people use every day (including web browsers) are not obfuscated and can be decompiled or are even open source. I never heard anyone saying that they are unsecure, because of that.
And easy decompilation has its advantages and disadvantages in security. Yes, it's possible to steal intellectual property. But the decompilation is easy because of lot of metadata about code inside application. And these metadata ensures type safety and thus prevents attacks like buffer-overflow, memory corruption.
I agree that obfuscation is good technique to prevent certain security attacks. But it's not equivalent to security. There is not even 1-way implication. When an application is obfuscated, it does not mean it's secure. And when it is not obfuscated, it does not mean it's not secure.
Hello Rastislav,
Just out of curiosity, have you had experience or studied about .NET security and obfuscation ?
Obfuscation is a technique to prevent attacks, that's true.
We have security systems and also obfuscation, obfuscation is limited to the modification of the IL code, when we talk about security we refer to more concepts, processes that guarantee the integrity of the memory, or the JIT, but the intention of this article was to make it easy, that's why it includes the tag #beginners.
We answer your questions because of the uncertainty wrongly caused by our fault.
We're not saying that .NET is insecure, we're saying that the ease of decompilation in .NET is much greater than in other languages, such as C++.
As I said, how insecure software is is determined by how it is designed. Nothing more.
I believe that at no time do we imply that an obfuscated application is safe and otherwise not. But if we have given that perception, we apologize 🙏.
Security is a task that developers must carry out when developing software, obfuscation is a technique to protect the source code, and then security systems such as ©Smart Native of our team, are systems to ensure security, memory access, injection and so on. These are different things, but they should complement each other to guarantee the highest security.
We are sorry for the confusion, Rastislav, any doubts you still have we can continue to talk to you, those are the aspects that we think we have not expressed well.
To be honest, my reaction was initiated by this tweet: twitter.com/ThePracticalDev/status...
Especially the sentence "But security... let's say that is not its strong point".
I think .NET is amazing technology with amazing community around. And I wish the community get's bigger. But the tweet like that may discourage people to be interested in .NET, thinking "why should I invest into .NET if it's not secure". Especially beginners.
Therefore I think it would be much better if the article differentiate between security in general and decompilation. I can imagine something like "Did you know that preview of Visual Studio allows you to debug .NET application even without source code? This is nice feature, but it allows anyone to debug your application and find secrets in your source code. Do you know how to prevent it?"
And to answer your first question. I have long years of experience in .NET, but I don't think I am expert in security. I am interested in security in computer science in general, but I am definitely not expert.
Hello again Rastislav,
Well, then you're absolutely right,
In this company we use .NET for almost everything, with that I show you what we love this language, and how great it is, with regard to security we offer solutions as I said, both at the level of code (obfuscation) and more advanced security solutions.
It was our first article, and we've oriented it somewhat confusingly, our intention here is not to be right, our intention is to help the community, to raise awareness about safety, and for everyone in the community to learn about these issues, and when we make mistakes and people like you or anyone else correct us, it's our turn to learn.
From now on, we will be careful about how we express some things, we will try to clarify the concepts so that nobody gets confused, and we will always adapt our solutions so that they are as simple and easy as possible.
I would ask you a favor, if you are interested in .NET security, we have a blog, in which we will be uploading articles from time to time, currently there are only two, and we have things to modify in them with what we have learned here, but if you are interested, I would ask you to subscribe to our newsletter to receive these articles, we do not send spam, or share with others.
Still be sure that here we will upload good content, I want to ask you one last question, and I hope not to waste your valuable time, what do you think you would like to read or learn about .NET security ?
Thank you for your response, and we hope you continue to learn about everything you like!
Kind regards,
Great article! Thanks for going over the importance of security in your apps. Could you do a write up on how to go about securing your apps? I’ve seen people use obfuscation, but that’s about it. Even then, I don’t know how to do that!
Thank you very much ! Yes, I am going to do a first explanatory article about what obfuscation is, how it works, what it has to do with security and what alternatives or extensions could be applied to protect applications. Do you find it interesting? I will also do more practical articles on how to implement security. I recommend you stay tuned to our profile, if you wish, you can subscribe to our newletter at dotnetsafer.com/blog, but rest assured that we will be publishing articles that resolve your doubts right here. Greetings !
Hello,
I disagree that .Net Framework is unsafe too.
In computer science nothing is 100% safe.
In any software (mobile, web, desktop or whatever) you (DEVELOPER) have to sanitize user input and validate it to avoid sql-injection or others security issues.
Furthermore, DEVELOPERS HAVE TO read the documentation:
docs.microsoft.com/en-us/dotnet/fr....
If you are a web developer using .net core please read carefully:
docs.microsoft.com/en-us/aspnet/co....
Decompile an application is a CRIME.
If somebody is wondering how to protect a .net application against decompilation I would suggest to check ConfusedEx (github.com/yck1509/ConfuserEx and yck1509.github.io/ConfuserEx/).
In my opinion you should point out that there are programming best and bad practices. I someone doesn't applies the best practises that doesn't mean that PHP, C# or Java are not safe. His code is not safe. It is not the fault of the programming language or framework.
However, I totally agree with you: we DEVELOPERS have to protect our application, customer and users data.
Hello!
I think you misunderstood me in that respect, but because of me, I didn't express myself well.
I don't want to blame .NET for being insecure, I don't accuse it as a language with vulnerabilities or anything like that, what I wanted to show is that just by clicking to compile, your application is not secure at all.
As I said in a previous comment, that the application can be decompiled does not determine everything, the most important thing is how you develop it, as you say, EVERYTHING is insecure, and EVERYTHING can be achieved, you see attacks on companies that invest millions of dollars in security, and yet sometimes suffer these attacks.
My goal was not to discredit .NET as a vulnerable language, but it is one of the languages where reverse engineering is more present. But like all languages really.
My goal is to make people aware of the need to take these aspects into account, but obviously, not only to use a security system, but to have good practices when programming and structuring everything correctly based on the security of our software.
The two articles you sent are very good, and I plan to upload articles of good practices regarding security in .NET, would you find them interesting ?
One piece of advice, I personally don't recommend ConfuserEx, but I'll tell you why, it's wonderful, but it's open source, this may seem good (and in part it is) but this has made it easier to study how it works and how to remove the security it offers, on the other hand, it has been used by many people who encrypted malicious software to prevent antivirus from detecting it, for that reason many times when protecting your application it generates false positives. Basically I tell you from the knowledge, in our development team anyone can remove it security in a few seconds.
But it's much better to use it than not to use it at all. That's for sure.
Another thing, many times I have read that it is a CRIME to decompile code, it is true, but a sad reality is that it happens, shoplifting is a crime, and yet you will always see the security guard at the door.
Thank you for your comment,
I would really like to know if you would like me to upload articles about good security practices and security tips in general for .NET, I would really appreciate your response.
Have a great day, and keep programming a lot of code 🖥, but safe 🛡😝 !