CSLA 3.6.X and Obfuscation

Vinodonly posted on Friday, July 03, 2009

Now that the new version is having the new property declaraing syntax.. Has anybody tried CSLA with Obfuscation. (I beleive the previous property declaration syntax was having issues with Obfuscation)

If yes and was sucessful then which were the products used..

Marjon1 replied on Friday, July 03, 2009

We have used obfuscation with our project, I think it was dotfuscator and one of the most important things to do was to not rename the data_portal methods, only the advanced or pro version allows you that sort of control though. We have been using it without problems even back in 2.x, but we had literal strings in all of our property changed events so that wasn't an issue for us.

If you want any more details, just let me know.

Vinodonly replied on Saturday, July 04, 2009

Thanks for replying.. yes I have few questions..

1. Was there any performance impact on using obfuscation, Did you compared your app in normal mode v/s obfuscated one.

2. Did you tried using reflector or other tools on your obfuscated app.. I mean from a hacker's (casual) point of view..

3. Can you share some of the revised bo's code on what all changes you made to your BO and why it was necessary.

I have heard that we can mark certain methods as not to be obfuscated which can save us from renaming methods.

Pls advs your comments.

Marjon1 replied on Saturday, July 04, 2009

1. We didn't do any measurement on normal mode vs obfuscated, as it wasn't really an option for us either way. We need to protected our IP investment, but on saying that we haven't noticed any speed difference. Our development builds ran at the same speed as our external release versions (which we also run).

2. We did use reflector on the resulting assemblies and it worked as you would expect, it doesn't make alot of sense compared to our normal code and would be difficult to work out without a fair bit of investment and that would only be on that version of code!

3. We haven't really made any changes to our business objects other than the not using the CanReadProperty(), etc methods, which are now defunct anyway. I will double check when back in the office on Monday, if there were any other settings that were set when obfuscating. We have a significant amount of database logic in our data_portal methods so it is important for us to obfuscated that code, thus why those methods are still obfuscated but the method names are not. If you understand CSLA then you would be able to find these methods quickly through reflector, but their internal workings would mean that much to you with all the funking string values!