Without robust code hardening, reverse engineering a Xamarin app is a fairly straightforward task. An attacker just has to decompile the APK or IPA file, find the DLL file within the assemblies folder, and then extract and decompile it. With the DLL file a bad actor can locate the app’s logic plus any hardcoded secrets and auth tokens. Clearly the danger here is that the attacker can then tamper with your app and even create a clone of it.
DexProtector can encrypt all Xamarin assets, securing your source code against reverse engineering and modification. It secures your app against dynamic instrumentation attacks, too. RASP checks detect jailbroken devices, emulators, and hooking frameworks like Frida. If they are detected, DexProtector stops the app from starting.
Xamarin proxies the network connectivity calls to the OS through system APIs. It doesn’t offer any specific measures to control the internet connection out of the box, which means man-in-the-middle attacks are an active threat.
DexProtector performs its own SSL Pinning and Certificate Transparency checks to stop man in the middle attacks. It makes sure that any communications travelling from your app only arrive at the genuine, designated server that you’ve pre-authorized.
Supply chain attacks
Xamarin uses the NuGet package manager to leverage dependencies. As with some other development frameworks, It’s quite easy to submit a package or library there, which can then be picked up by developers to be used in a variety of applications. While in most cases this won’t result in any security issues, the risk is ever present.
DexProtector Studio comes with an innovative tool called AppCare. You can use it to scan your application for known vulnerabilities that already exist in libraries and dependencies. It’s a quick and easy way to make sure there’s no rogue code that might cause problems for you further down the line.