I don't quite understand how Silverlight code works within the browser. Are the assemblies downloaded to the client machine? Is there any chance of the code getting decompiled using Reflector or some similar tool? If so, what options does one have to protect the code? Do .net obfuscators work with Silverlight?
Whenever you are in a web browser, all client side code is downloaded to the machine and can be examined by the user. This goes for Javascript, Flash, and Silverlight.
If you have proprietary code that absolutely must be hidden then you need to put it on the server and expose an API that the clients can call to show information to the user.
To view a Silverlight application the client download a .xap file that contains the dll and one configuration xml and optional resources. The dll contains compiled c# code that runs in a Silverlight runtime in client machine. Silverlight runtime is basically a subset of complete .net runtime. So the point is user gets the code in dll and then can use tools to get original source code. So at most you can do is obfuscation. Still for very critical code that should not be the option. You can use some other way (WCF or other webservices to hide some part of your code may be) if it shouts your need.
If you want to see just how easy it is to look at the code in a silverlight app just run SilverlightSpylink text by FirstFloor. As long as your have .NET Reflector installed you will be able to see (as you interact with the app) all the source code including the xaml files.
Since the code does get downloaded to the client (and even trying to prevent it with pragma no-cache won't work since they can hit the URL) you will need to protect your code by keeping important logic on the server.
If your afraid some one will steal your intellectual property and that law is not enough, Then you will need to obfuscate your code. But I would not call that protection per say but a deterrent to the casual reverse engineer.
Putting a pragma -No Cache- will prevent the .xap from being stored on the machine, instead it will be streamed by the Silverlight plugin. Without the pragma the .xap file is stored in the temp internet files.
Putting the application on a page on https will further protect the transmition of the .xap
If possible require authentication to view the web page / .xap file (thanks Joel)
Emrah,
Yes obfuscation is possible for SL application.
Yes, Silverlight xap files are nothing but zip files with your assemblies in them, so they do need protection via obfuscation. Give Crypto Obfuscator a try - it directly obfuscates xap files, it can also obfuscate XAML files in your assemblies by renaming class references, stripping comments, whitespace, newlines, etc
Related
(Sorry in advance, if I have the wrong tags)
Hello!
So I am trying to work on a personal WPF project which would allow the client application exe to download another application exe (Unity Application) and open it within the client exe's Grid. Everything is working fine.
But, I am wondering if there's a way to "lock" the downloaded application in a way that only my client exe can open the downloaded exe?
Here's the only solution I have thought of but not sure with
Check for command line arguments within the Unity Applications
This works well but people who knows about the existence of decompiler might be able to decode that I am trying to check the arguments, and input relevant data there. :(. So, it won't help too much?
Thanks for any insights.
-Kevin
There is no non-hackable solution, you can only make it harder for crackers to break into the app by code obfuscation (hard to read the code) + adding integrity checks (make sure that your app is not modified).. There are commecial apps out there to do this (ex. PreEmptive), and their solutions differ from each other, nothing is ultimate.
Anyway, You might make Unity Application read some file or some registry value that Client application has updated just before launching the Unity Application, along with command line args method that you mentioned..
I’m working with an application for both Windows desktop and Windows store, potentially I will add Windows Phone in the future. I’m having most of my logic in a library and create different GUI for the different platforms.
I want to localize my application and want to share string resources between the platforms. But how do I do that?
For Windows desktop the most common approach seems to be using resx files. Here is a short example:
http://compositeextensions.codeplex.com/discussions/52910
For Windows store app resw files are used instead, here is an example of that:
http://msdn.microsoft.com/en-us/library/windows/apps/hh965326.aspx
Both these solutions are platform specific which I don’t like :-(. I really want to have all my string in one file/language and being able to use that in all platforms. Is there any solution for this?
Update 17 Feb 2014: As I understand it resx and resw files are in the same format. What is missing in Windows store app is that no class file is generated for the resw file. If I just could get a file like that my problems would be solved. Then I could put an instance of that class in my view model and access all text via properties.
The class file generated in WPF application almost works. The problem is this line that looks something like this:
global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("ResxTest.Properties.StringTest", typeof(StringTest).Assembly);
To get this to compile I need to change it to this:
global::System.Resources.ResourceManager temp = new System.Resources.ResourceManager("ResxTest.Properties.StringTest", typeof(StringTest).GetTypeInfo().Assembly);
But the resource ResxTest.Properties.StringTest can’t be loaded in my Windows Store application. For some reason I need to rename my resource to Resource.resw and load it with the name “Resource”. I have tried all kind of names but this is the only one that works. Using name MyApplication.MyResource never works.
I’m not sure if I’m on the right track. I’m almost so desperate that I will make my own solution were I convert an XML-file with all strings I needed to a huge class with properties that I could use to get all string without any resource files. But I think that is ugly and cheating so I hope someone could give me a better idea :-).
Update 24 Feb 2014: I was wrong! Things are working quite nicely with Portable class library. If I use that I could put an instance of auto generated C# class in my view model and access all strings from that object.
But if I use an ordinary library things doesn’t work as properly in Windows Store app (WPF is fine). I have tried to copy all files to a Windows store class library from a working Portable class library. When I try to create an instance of the auto generated file I always get:
An exception of type 'System.Resources.MissingManifestResourceException' occurred in mscorlib.dll but was not handled in user code
Additional information: Unable to load resources for resource file "MetroLib.StringResources" in package…
Quite annoying since I’m using the express editions of Visual Studio where portable class library isn’t available. So probably I will develop my own solution to generate classes from a resource file (which also gives me some other benefits). But I’m still curious what I’m doing wrong.
I finally solved the problem. I simply developed a simple tool (ResToCode) to convert resource files to pure C# classes. Quite similar to what Visual Studios resgen.exe is doing, but with some extra features. It works really well so I’m quite happy about it :-).
The tool is available for anyone at CodeProject:
http://www.codeproject.com/Articles/744528/ResToCode-Localization-tool-for-Windows-Desktop-St
You can put all your resources in a Portable class library and use these libraries on all platform. You might have to check what version of .NET framework you are using. Portable libraries are not available on all the versions of all the platforms.
http://msdn.microsoft.com/en-us/library/vstudio/hh871422(v=vs.110).aspx
http://msdn.microsoft.com/en-us/library/vstudio/gg597391(v=vs.110).aspx#members
Have you looked at the Multilingual App Toolkit? It keeps the translations in an industry standard XLIFF format and can generate resources files for Windows and Windows Phone.
I had the same issue with the MissingManifestResourceException for Portable Class Libraries too. Today I created a new Portable Class Library with another name (without the string 'Resources' in it): and it works like a charm. No idea why this hasn't worked before (perhaps the name of the resource).
Probably there are a lot of similar questions around, but since I know only few solutions to this which I am not sure will work for us, I am looking for something else, maybe new technologies...
What we have is this USB device which is not so fancy (of course, it requires a driver to be loaded), and it has couple of C++ dlls to help getting certain output from it. On top, we made a C# desktop application which makes use of the device in a more attractive way (plenty of interop inside).
So far so good, but to have the application lifted up to the web in order to gain more flexibility... What options are there?
Known solutions are:
1) ActiveX - kinda old technology and not cross-browser;
2) .Net 'applet' - not so common (is this even a solution?)
3) Java applet - well known, but JVM needed (since we went for C++ C#
maybe is out of scope);
4) Web service on the usb device itself - our device is very
light, we cannot have it there.
Are there other ways? Is Silverlight 4, 5 (maybe "out of browser") a feasable solution? What about these new technologies nowadays? Html 5 or something?
EDIT1: In particular I am interested in Silverlight. Is there a way using Silverlight?
EDIT2: I found this question: Can Silverlight access a .Net library that accesses a USB port? . What shall I understand from that? Is really Silverlight not a feasable solution for my scenario?
EDIT 3: VERY IMPORTANT!
These devices need to be used on customer side! People browsing must use them locally on their PCs!
Thanks in advance.
to have the application lifted up to the web [...]
Simple solution: Let the webserver (http server) run on the PC connected to the USB device, and use one of the webserver's interfaces like CGI to talk to your USB device. This way you need to code only a USB-to-CGI wrapper program, which can be C++ or C#.
Another way is to write a browser plugin.
The issue that you're going to face is that content in a browser is often run in a sandbox, in such a way that the web app does not have access to the computer. There are good reasons for this - security, primarily. One way to have some code running in the context of the computer is to have a browser plugin that can access the computer's hardware resources, but that can interact with browser content. Unfortunately, you may end up writing a different plugin for different browsers.
There do exist frameworks out there that make writing browser plugins more manageable. A simple search should turn up some of those candidates.
You can use Silverlight 5, it can give you access to your file system and USB storage device. If you want to get control for other USB device (printer, scanner, etc), you should give a device type. I know, Silverlight 5 works fine with a file system and web-cams...)
We use the .NET resource manager to localize our Silverlight application and want to embed the satellite assemblies for the german language ("de") into the XAP file. Therefor, we set the neutral language to "en" and added "de" to the list of supported languages in the csproj file. This works fine, when we build the project locally. If we build the Silverlight solution with MSBuild (TFS), Silverlight will try to fetch the satellite assemblies with HTTP requests from /ClientBin/de/*.dll instead of taking those files embeded into the XAP (which do exist). Because the webserver returns 404 error codes for the non existent files, Silverlight crashes with an initialization error.
It turned out that if we remove a custom TFS build activity manipulating the assembly info code files, the Silverlight applications works as expected. Strangely, after re-enabling the activity the compiled XAP application still works (verified for two different build definitions working on seperate branches). The custom activity manipulates the assembly attributes AssemblyConfiguration, AssemblyCompany, AssemblyProduct, AssemblyCopyright, AssemblyTrademark, AssemblyVersion, and AssemblyFileVersion.
Some additional hints:
The custom activity will change the assembly info files before any compilation is done
Compiling the manipulated sources with Visual Studio will build a working XAP
The content of the XAP files (working and not working) is equal (nearly same sizes, no difference in manifest file)
The resource manager is instantiated using ResourceManager("Resource", Assembly.GetExecutingAssembly())
My questions are:
Why does Silverlight try to fetch those satellite assemblies from /ClientBin/de/ instead of just using those in the XAP file?
What kind of attribute in the assembly info file could cause such a behavior?
Why does re-enabling the versioning activity not break the XAP again?
And here's the solution: We use a tool named "Total Commander" for editing a file in the generated XAP to adjust the URL the (generic) client connects to. Since we added the localization dlls, editing the XAP with the Total Commander will lead to the behavior described above. If we manipulate the XAP with WinRAR or the internal Windows archive manager, all works as expected.
Edit: After comparing the XAP files we found, that Total Commander uses the backslash (\) to seperate directories, whereas WinRAR and the Silverlight Tools use slashes (/). It seems that we discovered a hidden Silverlight feature here ;-)
I have bunch of common thrid party dlls that I use in multiple silver light projects. Each produce its own XAP files with same copy of the thrid party dlls. I would like to know, is it possibl to seperate the common thrid party dlls out and load only if the local cache dll is different from the common dll used by some other XAP that was previously loaded?
In other words, what I was thinking is, first time when I enter a new silverlight page, it would load the application XAp and the Common XAP file, from that silverlight app, I go to another silverlight page, which in turn loads another XAP but this time, it will not load the common dll XAP since it was already loaded by the first XAP load.
Thanks,
If the third-party DLL's are well done, they'll come with an .extmap.xml file that allows for precisely this scenario. But you need to turn it on by checking the "Reduce XAP size by using application library caching" option in your Silverlight project(s). See http://msdn.microsoft.com/en-us/library/dd833069(VS.95).aspx for more details about how this works.
I think a more optimal solution would be to try to minify your XAP/Zip files using something like ComponentOne XAPOptimizer. The problem with your approach is that you are introducing dependencies between projects that in no way could be managed if one or more projects change. This is a good resource for strategies to lower XAP file size.
I believe that you have a main XAP which makes the calls to load the others XAPs, right?
All you have to do is, in the properties of each DLL, change the atribute "Copy to Local" to FALSE, except on your main XAP.
When the user download the main XAP, the DLL will be available to all dependents XAP.