is winrt code better protected against reverse engineering? - silverlight

My application is being developed in silverlight. Plan to launch it later this year. I am worried against my xaps getting reverse-engineered. I do have a fare amount of intelligence in my wcf service but you cant put everything in the service. Now winrt is anothe option. Fact that both silverlight and winrt use xaml, it seems possible to move my client code to winrt but only if that code is protected against reverse engineering. Opinions?

No.
http://JustinAngel.net/ReverseEngineerWin8Apps

There is little that can protect your code against reverse engineering. Running on server hides the code making it most secure, obfuscation still protects it quite well, but not completely and it has some other risks. WinRT allows you to write native code, which is a bit harder to reverse engineer than .NET code, but only marginally. On the other hand - if your application is written in non-minified javascript - you are basically shipping your source code and you don't even have a xap file to decompress - just look in C:\Program Files\WindowsApps and there is a folder for your app where all the files you see in Visual Studio are stored.
You can look at these options then and decide what would work best for you. Ultimately though - the choice between WinRT and Silverlight is a choice of platform - WinRT applications will only run on Windows 8 and (we can speculate) possibly on the next version of Windows Phone, which at least initially - limits your target audience. I have not heard of the option to sell Silverlight apps through Windows Store, unless you are targeting Windows Phone, where that is the only option (that and XNA - both being .NET based).
If your client-side code is indeed a unique intellectual property - you are better off protecting it with patents and copyright law than with obfuscation and compilation.

Related

Mcafee update blocked silverlight and the future of the Silverlight Technology

Today, while I'm running a Silverlight project in the Internet Explorer by pressing F5 in Visual Studio 2012 in my Windows 8 machine, I found that McAfee started to block Silverlight XAPs (Which is loaded by Prism).
This leads me to think again about the future of Silverlight. I'm at the beginning of my LOB Application. Should I stop what I like to work in Silverlight and return back to WPF. I which that I can continue to develop in Silverlight until Windows 8 becomes rich like Silverlight. That is why I limit the Model and MVVM to PCL to be easier to be ported to WinRT in the future. Using await async and so...
Please advise me which is better for a LOB application that will run in three countries throw the Internet. Should I continue in Silverlight for zero deployment, or work in WPF or even Windows Forms and use clickonce?
The fact that McAffee blocked something has NOTHING to do with it's long term future. McAfee is nobody, they don't determine whether or not a specific technology can be used or not, or will be used in the future.
Silverlight seems to have reached a dead end, due to Microsoft realizing that if they create a multi-platform application environment, people might just stop using Windows.
WPF also seems to have been abandoned in favor or WinRT XAML, but of course WinRT XAML is not an option for us developers at the moment, simply because it is Windows 8-only, and our customers don't have Windows 8 or greater.
Besides, technically, WinRT-XAML seems to be really inferior to WPF XAML, and lacks many important features.
Of course winforms is completely useless and is not an option, unless you need to run your applications in my grandma's 80386 computer with an Hercules monochrome monitor
(exaggeration).
Seriously, that dead technology is not the answer to any of today's challenges. Things that you can do easily in any of the XAML-based technologies are either impossible or require a bunch of horrible hacks in winforms.
I suppose the definitive answer depends a lot on the usage scenario, for example:
Silverlight makes more sense if you have to publish your application in a web site and have anyone download it and use it.
WinRT XAML makes sense only if you target Windows 8, or want to create 'metro style' apps.
WPF makes sense if you want to create Windows Desktop applications, and have them deployed via ClickOnce or Windows Installer to a more limited and controlled set of users (because it needs installation of the .Net Framework, which Click-Once can deal with anyways).
winforms makes no sense whatsoever because it's a completely useless dinosaur technology that doesn't support anything.
Thank you very much for your answer and sharing your experience with me. I always try keeping WinRT as a strategy planning for each line of code I write. As I wish to migrate my code easily to WinRT in the future. The future is translated to me as may be within two years I may find myself in a situation that we will be targeted to migrate to something like Windows 9.
The best successful migration scenario - as I wish, it could be by increasing the usage of PCL at the client side as much as possible and test in a small piece of WinRT module.
We hope that Microsoft succeed in Windows 9.
I am sadly decided to shift to WPF instead of Silverlight in case that Silverlight depends on browsers that may not be supported in the future. As we here that Chrome, Safari and others are stopping supporting Silverlight. Why should I insist in relaying with such great technology that is dead before it finishes.
The main difficulties I could face in the future migration could be tied to two patterns:
- Prism.Regions: Windows Store has better than that.
- Prism.Modularity: Windows Store has no migration strategy to that.
At least at the moment I'm writing my thoughts Prism for Windows Store are far from implementing Regions and Modularity.
This is not a final answer but a clue of my what I should and should not to do.

Is silverlight the right choice of technology for enterprise applications after Microsoft's comments in PDC 2010

We were beginning to start on an enterprise application using silverlight.
However after reading this post we doubt whether it is the right choice going forward.
The post says that, according to
Microsoft's declaration in PDC 2010,
Microsoft has changed their strategy
regarding silverlight and they no
longer view it as their technology to
deliver cross platform applications.
Instead they are targeting silverlight
as their development platform for
Windows phone 7.
Is this correct? Should we still continue with silverlight or go back to ASP.NET WebForms\MVC?
The Scope of the application is basically intranet with Windows 2008 servers and Windows XP and Windows 7 clients. However a subset of functionality needs to be available to the external users over the internet. There we cannot have any restrictions on what OS users can use.
based on the info you gave, I can't conclude whether silverlight is the way to go. But what I do know is that a number of Microsofties wrote some blogposts about the things said about Silverlight on the pdc. For example John Papa, Bob Muglia and Scott Guthrie.
Update about the scope
I think you already gave the answer when you described the scope of the application. A part of the application will be available to external users and you cannot have any restriction about the OS they are running. With that requirement I think Silverlight is not the best way to go. Not because the rumours about its future but because of its platform indepency. What are the reasons not to go for a ASP.NET/web solution? Silverlight doesn't work on each OS whereas plain HTML will work everywhere. (ok you need a descent browser)
Although for a good advice I'd need more information about the application.
Basically the question you have to ask yourself is this: do you need your application to be used on every platform, i.e. Windows, Mac, Linux, misc. flavors of Unix, IPhone and other mobile platforms?
If that's the case, then a web based solution is the way to go.
If Windows, Mac and partially Linux is enough, then save yourself and your team a lot of pain and use Silverlight.
In my opinion support for mobile clients is the key factor in your decision.
For sure the right platform for Intranet, Enterprice applications Is Silverlight. It is
stable, performs extreamly well, the environment and the development time is huuge less than web application development, the end User Experience is much better and so on and so forth... Once you want to show part of the system out the the intranet - just create some specific target modules that will address the needed audince. You won't have the universal "Reachfull" solution, that will target everyhing, you'll always need mobile versions or other devices and so on. But once you've built your project the right way with Services (same services that the Silverlight app will consume), it'll be easy job to consume them with new UI.
Hope you will choose Silverlihgt.
Silverlight is a great technology, but the Microsoft does not develop it anymore. So as a technology is a great decision. But if you want to make a Silverlight app usable on a NOT supported platform (e.g. Android or iPhone) you have to use 3rd party services. For example http://sl2html.com

Silverlight OOB vs WPF ClickOnce

Silverlight Out of Browser technology and WPF ClickOnce on the surface have similarities. Easy and simple deployment, the ability to specify the level of trust access to the underlying host, etc.
What are the key issues I need to consider when choosing one over the other?
To put a finer point on it, I'll be deploying LOB apps on a corporate network running only windows computers.
The big one is cross platform compatibility. If you need you app to run on a mac as well as windows (not sure if Silverlight is supported in Linux yet) then use Silverligt. If you want to make an assumption that all your users will be in a windows machine then go WPF.
Obviously WPF has a much richer toolkit than silverlight so it may well be that silverlight just isn't an option. If I was just building for windows though I know my job would be easier in WPF.
Given that you are targetting a private infrastructure running Windows, two points worth thinking about
Wpf has a richer control tree, whereas Silverlight is a reduced set for compact size
Wpf requires .Net framework installed locally, whereas Silverlight has its own platform independent browser-based runtime
While your target platform will likely have the latest .Net framework installed, rendering this last point moot, keep in mind any updates to the framework [ie .Net4.0 and any future updates] may require a restart of the machine - which is a major pain point for businesses that demand constant-on stateful desktops [ie anything in finance, like banks and trading].
As with all problems, your requirements, not the technology, should inform your solution. :)
You mentioned trust access to the host which I think rules out Silverlight unless you want to run SL4 (beta).
We recently went through a lot of discussion about file system access. Silverlight 3 runs in a partial trust sandbox more or less. You can't maintain a pointer to files in the files system outside of your application's isolated storage. This was an issue for us as we wanted the user to be able to use the application to reference odds and ends on your file system. That said you can allow the users to load and save files from anywhere on the system but you just get/or push the file stream and (to the best of my knowledge) don't have access to the folder or file path information.
Silverlight 4 (in beta) has support for your application running in full trust mode. I haven't played with this yet however and can't speak to how well it works.
In talking with a lot of people who work with both Silverlight and WPF, even those who are excited about Silverlight and push for it strongly, I hear a lot of the say fairly emphatically that if you are going to be developing exclusively for a full-trust Windows environment, WPF is hands-down the obvious choice.
That's not to say that Silverlight is an inferior product or that there aren't times will Silverlight will be the clear winner. But when you say "I'll be deploying LOB apps on a corporate network running only windows computers," it sounds like WPF is the clear winnder.
You could decide to go down the Silverlight route in anticipation of all of the great new OOB feature os SL4. I've even heard rumors that SL and WPF will eventually merge, so it may not even really matter, right? Well, I think what you'll find if you go with Silverlight is that some of the advanced features that you thought were there weren't there in the way you expected. For example, SL4 will be able to run in "Elevated Trust" (not full trust) and you might find this limiting at a frustrating point in the project where a lot of your code base is already in Silverlight.
Certainly keep your eyes on Silverlight, but for your current business case, WPF will likely be the best fit.

WPF vs Silverlight 3.0

Silverlight 3.0 beta has just been announced at Microsofts Mix Conference in Las Vegas.
Two features of the new beta are 3D-graphics and the ability to run applications outside of the browser, which to me seemed to be two of the major features that WPF (Windows Presentation Foundation) previously offered over silverlight.
I am currently evaluating WPF and Silverlight for possible use in our companies future development activity, and this announcement has left me confused as to the intended direction of these two UI technologies and why I would choose one over the other.
Has anyone implemented a new application using WPF recently, and if so, what drove you to that decision? Given the announced changes to silverlight, Would your decision have changed had you made it now, and if not, why?
Any advice would be appreciated.
The biggest difference I find is the asynchronous model you have to adopt
in your Silverlight application.
It does seems like an advantage (and it can be), but it does make
life very difficult sometimes.
There are also some limitations that can be a real challenge like the absence
of print support.
I would recommend Silverlight over WPF when:
- There is no need for best possible performance (graphics included)
- Can get around the absence of print support (it will come, we just don't know when)
- Camera/Microphone support is not needed
- Can tolerate the assync app/development model
- Can tolerate limitations on WCF (no support for WS-Security at this point)
- There is no need to store huge amount of data on the client.
- There is no need to direct integration with client side applications like Office.
- Has a server to host your application
I would say the main difference is that WPF requires the client to have the .Net 3.0+ framework. Silverlight only requires the runtime. Now that being said, WPF is geared more for controlled environments such as an intranet. Silverlight is meant for the public web. Another difference is that Silverlight is cross platform (Windows, Mac, Linux in the future & Cross browser). WPF is meant for Windows only.
The .Net framework can be a huge download for some users. Silverlight is only 4-5MBs. This is a big difference to run your app on the web, but not a big issue if its an internal application at your company.
Silverlight is Sandboxed which is meant for web use. So if your app requires more permissions you will need WPF.
There are also some differences between Silverlight code and WPF. But from what I've heard, the ultimate goal is to get a Silverlight to run inside of WPF with minimal code changes. But they aren't there just yet.
I have just worked on a WPF project that in hindsight we feel we might have chosen SilverLight for. It is probably more important to know the differences and select the one that is most appropriate for what you're doing.
Here's my starter for ten on some of the important differences - there were originally some differences in the available controls, but that has largely been smoothed out now.
Silverlight
Runs entirely on the client with AJAX
calls to the server for data
Can run on any server, including Windows and Linux / Apache
Uses COMPACT .NET framework
WPF
Runs on the client... usually calls services for data
Runs on Windows XP / Vista with .NET 3.5
Utilises the entire .NET framework
Silverlight is basically a stripped down version of WPF in order to make the runtime libary download as small as possible.
As a result, WPF simply has a lot more functionality available in it and tasks that are simple in WPF often become not so simple in Silverlight.
If running as a web app is not a requirement then the decision is a no-brainer - WPF all the way.
Has anyone implemented a new application using WPF recently, and if so, what drove you to that decision: Well since WPF was desktop only (or browser based using XBAPS - but that was more a deployment system than a real system) that was a good reason to it.
"Would your decision have changed had you made it now, and if not, why?" - No Silverlight, even on the desktop in v3, is still highly sandboxed and so certain functions are going to be hard/impossible to do due to the sandbox. Also the ability to use DirectX parts in WPF will still give another optimisation area which Silverlight and it's 3d won't be able to use.
It's worth noting that Silverlight's 3D is not the full 3D support of WPF, but only projection of 2D into 3D - i.e. take the 2D plane and allow rotation in X, Y & Z directions. WPF has full 3D modelling with materials, view ports, lighting and camera positional support etc.
I'm well along in the development of our first WPF app for release. Silverlight 3 looks great, but for this application I would still have chosen WPF. The application centers around presenting and manipulating very large sets of images hosted on a central server on our clients' networks. Additionally, the software update/change rate will be minimal. Mass import of new images from a local drive, no Internet connectivity requirements, performance concerns, etc. make this a project well suited for WPF.
One of our upcoming projects, however, will require many remote users to access a single data store on our network. The data they work with requires significant validation and error handling, so running that code locally is ideal. They will need the ability to work both on and offline and remain in synch (probably with SQL Data Services). SLOOB (Silverlight Out Of the Browser) will most likely be our choice for that one so they can have all the Silverlight advantages but use it like a regularly installed application, even without an Internet connection.
Both formats have their place: the trick will be to avoid using Silverlight for everything - we have more tools than just 1 hammer. :-)
Another difference is that with SL you only have one 'window', you can't have dialogs (they can be simulated but their size is limited to the main window) and you can't add multi monitor support.
If you have to interact with existing business applications (e.g. open a document in the archive viewer) you need to use WPF.
I recently have built several internal tool using wpf, and I chose it simply because It was easier for me coming from win32 work. I don't really think that the differences are major, and really... everything i have seen/heard indicates that porting between wpf and silverlight is quite easy.
Storage: You only have 25MB of isolated storage out-of-browser. If I remember correctly from some mix09 video, this limit is lower if your app is in-browser.
http://bliny.net/blog/post/Out-of-Browser-with-Silverlight-3.aspx
No FlowDocument: So there are limitations there too.

Silverlight and Obfuscation

I am fairly new with silverlight and I really find it cool. I have a question about how it runs the code client-side tho..
Say for example, I have a site that calculates a certain amount based on user inputted amounts. This of course I would love to do client-side. The catch though, is that the formula used for the calculation is proprietary and a trade secret. If I put this formula client-side using SL, will it be safe? Or can it be reflected?
If you want to keep algorithms secret, don't push it to the client side. No form of obfuscation or protection is ever perfect.
Also, when you have calculations on the client side, you should always check the results on the server, rather than just assuming they're correct. Assume that the client is compromised.
Silverlight pushes the XAP file to the client. The XAP file is simply a zip file containing your .NET assemblies, which can then be unzipped and reflected against. The company I work for (PreEmptive Solutions) markets Dotfuscator, which can obfuscate Silverlight assemblies. Right now you have to unzip the xap, obfuscate and zip them back in, but we're working on improving the workflow.
Just a note to Dotfuscator users: If you create a Dotfuscator project, you must use the "User Defined Assembly Load Path" property in the "Settings" tab to browse to the Silverlight libs. The paths you need are:
\Program Files\Microsoft SDKs\Silverlight\v2.0\Reference Assemblies
\Program Files\Microsoft SDKs\Silverlight\v2.0\Libraries\Client
or on 64 bit operating systems:
\Program Files (x86)\Microsoft SDKs\Silverlight\v2.0\Reference Assemblies
\Program Files (x86)\Microsoft SDKs\Silverlight\v2.0\Libraries\Client
Don't fall into a trap of think hiding the algorithm will protect it. Once you put it on the web somebody will figure it out no matter what you do. With enough sample data anybody with some math skills should be able to figure out your algorithm.
All you can do is make it harder. If this algorithm is is something proprietary that you have bought then it will need to be server side. Putting the algorithm on the client side is essentially publishing it and you could be liable.
IntelliLock and .NET Reactor (my preferred tool) obfuscates my assemblies nicely.
While obfuscation is not a fool-proof method, it makes it that much more difficult for somebody to see your code. One has to really jump though convoluted hoops to get to your final code if the layers of obfuscation are good. Crypto Obfuscator is one obfuscator which supports obfuscation of Silverlight assemblies.
Another cool tool is CodeFort. It has free edition. See it in action at http://www.codefort.org
CodeFort .NET & Silverlight Obfuscator
CodeFort is an advanced obfuscator and protection tool for Microsoft .NET and Silverlight applications.
BAML and XAML obfuscator - obfuscate 100% of your code
CodeFort is the first tool ever to be able to obfuscate identifiers inside the XAML and BAML code which is used in Silverlight and WPF applications. This makes it for the first time possible to obfuscate 100% of your code.
Powerful protection against attackers
Coupling the XAML/BAML obfuscation with powerful protection features such as Reference Scrambling and Anti-Tampering CodeFort is a state-of-the-art obfuscating tool.
I must COMPLETELY agree with Marcus. Even obstruficated .NET assembly is still easy to read for a good programmer.
My solution would be WCF service for the calculation. Just push all the data there and give an answer. If your formula is top secret and not obvious (like ax+by+c*z) then even is somebody would get access to service, then it would be hard for him to get it.
There are many companies that support obfuscating Silverlight 2.0 applications. DeepSea Obfuscator has a nicely integrated experience, Dotfuscator also work and soon, the free Eazfuscator will also support it.

Resources