ByteHideIf you are reading this, you probably developed code in .NET π», but maybe you have never paid attention to the security it offers.
There is no doubt that .NET is an incredible language, and that it is increasingly broad and you can do more things, but security... let's say that is not its strong point π.
Why isn't .NET safe ?
Basically any .NET framework (no matter if we talk about Xamarin, Blazor, ASP...) is compiled and transformed into IL code, then the CLR will compile it into native code and bla bla bla...π₯± I'm not here to talk in a technical way (unless you ask for a more complex article).
This code is decompiled the same way it is compiled, well, even easier π, that means that getting the clean and shiny π code of your application costs approximately, one click π±.
This might not be a "big problem" if we schedule everything perfect, but, here I include myself π, we don't always do everything perfect.
So, what could happen if we don't protect our applications?
The combination between the fact that we are not perfect and that .NET is not safe, is not very good (for us I mean), for your attackers it is great πΏ.
Quickly, it's quite simple that they can:
- Modify your applications.
- Steal or copy important code from your applications, such as exclusive functions or private methods of your company.
- Skip or alter security, license or login systems of your applications.
- Distribute unauthorized copies of your application.
- Access your servers, databases or obtain sensitive information about your users.
Obviously, much will depend on how our software is programmed, but getting into the habit of programming and including security systems is necessary for applications to be secure.
Is it really easy to see the code of an application ?
Well, let's suppose that this is something serious, as you see is an example, that asks us for a password to carry out an action:
There are many decompilers, for example DnSpy β‘
Simply by dragging the application (not even a click as I said before):
We can see the original code perfectly, well, modify it, crack it, study how it works, see the connections, databases, operation, algorithms... you know what I mean π.
So, should we protect our .NET applications ?
We should analyze well our software, its functions, its vulnerabilities, but I always recommend to protect (even minimally) everything related to our developments.
One last thing we could discuss π’:
What about open source programming?
If our tool is free and the code is at a glance on some git platform. It would be weird to protect it, wouldn't it?
Well, it will depend on a few things, but here are some possible reasons why you might want to protect it.
β Contains sensitive information
It may be that the application is free but includes connections to databases, ftp accounts, or any other service that includes an api key in the code, then it must be protected.
β It's under your brand
I don't like to publish things under a brand that doesn't include security, even if it's something free, or an extension of something, someone could inject malicious code, or modify some connection to do phishing π£.
Then he can distribute the application under your brand, but having modified it.
π€ Ensuring security for your users
There's not much to discuss here, it sounds better: "You're using software with up-to-date security methods and we guarantee the integrity of your system" than: "Check that the MD5 is the same and if it's not, burn your device. π₯".
Well, I've gone too far here, but the concept is understood.
Thank you very much for reading it.
We could talk about many interesting things (which we will do if you ask), but I think we have talked about the basics of why we need to protect our .NET software.
Greetings to all, and don't forget to protect your software ! π
