Write For Us

Obfuscation And Code Protection In ASP.NET

If you create ASP.NET web application or custom web control that should be distributed to customers worldwide, you need to protect your code from pirates, unlicensed users and competitors. If you offer web service or solution hosted on your server only, you can even upload source code since you are the only person who has access to server. But, if your web application, custom control or component will be installed on different servers, code protection is the subject that should not be ignored.


ASP.NET web application works fine if you just copy files to web server but these files are visible in Notepad or any other text editor. As first step in protection, you may decide to convert website project to type of web application project in Visual Studio. If you compile web application project, compiler will create dll file located in /bin folder. This dll is sufficient to run complete site and now you can distribute web application without providing of source code .cs or .vb files. ASP.NET custom control or .Net class projects are compiled as dlls by default.

These dll files can't be read with text editor but be aware that compiled dll doesn't protect code although is compiled. Net source code is compiled to IL (Intermediate Language). These executable .Net exe or dll files can be easily decompiled back to C# or VB.NET source code. You can try it yourself, to decompile any .Net assembly download Red Gate's .Net Reflector and browse .Net assemblies through Reflector's user interface. Intermediate language can be returned to source code (although without comments), your application becomes open source and others can see how code works, edit code to break license protection or explore security holes, recompile and use without restriction. Intermediate language can be written directly in Notepad or any other text editor and compiled with ilasm.exe which is part of .Net framework. Ilasm.exe converts .il file to .exe or .dll. On opposite, there is ildasm.exe which returns back compiled .exe or .dll to .il code.

How to protect .Net code from reverse engineering

First step to protect your intellectual work is to use code obfuscation. Obfuscation can't stop but it complicates reverse engineering by creating confusion, renames symbols, breaks code in small modules (which often results in smaller file size and improved performance), encrypt string literals etc. Obfuscation doesn't prevent decompilation, but decompiled code is ambiguous and much harder to understand, although executable logic remains same. Obfuscation is not .Net invention, it is also used in applications written in other languages like Java, PHP or even JavaScript.

Free obfuscation solution with CliSecure Starter Edition

Dotfuscator community edition comes with Visual Studio and can be used to obfuscate ASP.NET applications or controls but result is not impressive (e.g. doesn't include string encryption). Dotfuscator professional edition is better but it costs a lot. Fortunately there is CliSecure Starter Edition that offers full obfuscation for free. CliSecure also encrypt strings in code which is very important if you have some sensitive data.

Notice that all levels of obfuscation only create chaos. Although CliSecure obfuscation is more complex, it is still possible to reverse code or string literals if one is competent and persistent enough. If you require stronger protection, consider CliSecure Professional Edition. It costs $1299, but this price is probably small compared to value of your business.

Going professional with .Net Reactor

.NET Reactor is complete code protection system. Except obfuscation and string encryption, .Net Reactor includes advanced methods to protect intellectual property like native code generation, NecroBit protection, encryption and protection of resource files etc. Creators claim that their system is not broken from 2004. That is certainly great, but on opposite, I must say that balance is needed because using of all possible advanced features could make your ASP.NET application less usable. For example, some protection methods impact system. This is acceptable if you build enterprise web application that will be installed on dedicated servers with Full Trust enabled. But, if target audience for your product is websites on shared hosting, then Medium Trust (very common on shared hosting) security option is not enough and too much protected application will simply return an error.

As additional value, .NET Reactor is also licensing system that enables creating of time limited trials, or trial versions with restricted number of use. After customer purchases your application, control or component, it is easy to convert trial to different kinds of commercial licenses.

Good surprise is .Net Reactor price. It costs only $179 for single developer license or $279 for company license. That is about 10 times less than other similar products. So, for the cost less than 10 working hours you can have best possible protection with very liberal and unrestricted license. License allows using .Net Reactor on unlimited number of computers or users, duplicate and distribute .NET Reactor within your company, as well as protect unlimited number of software you develop.


You can't protect code completely. You only can make it harder to understand. Even encrypted files must be decrypted in memory before executed (also encryption key must be provided with application which is one more security issue).

As you know, largest software companies like Microsoft, Oracle or Adobe can't fully protect their software from pirates. Or maybe better to say they don't want to protect it completely. Notice that too much protection could be annoying for your honest customers. Try to avoid using of system too much. If your users will use ASP.NET application on shared hosting it should work in Medium Trust. Writing in registry and requirements for FullTrust will reject significant percentage of potential customers. Things like USB dongle or aggressive software activation could hurt your product's reputation. On opposite, if you expect small number of clients and sell product of high price, then extreme protection could be reasonable choice.

Products like .NET Reactor or CliSecure provide strongest possible code protection for reasonable price and enable you to sleep well because you know your business is protected.

Happy coding!

Tutorial toolbar:  Tell A Friend  |  Add to favorites  |  Feedback  |   Google