Home » Android » c# – Xamarin.Android – does native code compilation make reverse engineering harder?

c# – Xamarin.Android – does native code compilation make reverse engineering harder?

Posted by: admin June 15, 2020 Leave a comment

Questions:

We are considering porting our C# .NET application to Android, and I have started reading about Xamarin.Android and the Mono framework. I am just beginning with Android development.

I notice on the main http://xamarin.com/android page that it states:

Native Code
High-performance compiled code with full access to all the native APIs.

Does this imply that the generated code will be native code that is more difficult to reverse engineer? We would like to create amongst other things a class library that contains our key algorithms, and if we can compile it to native code to hinder reverse engineering, that would make us less fearful of porting.

I have read several other posts about Android code not being much harder to decompile than obfuscated .net assemblies (after using ProGuard). Is native code compilation a recent feature that came after those posts? Thanks for any advice!

How to&Answers:

Currently, Xamarin under Android does not compile to native processor code. It creates .NET p-code, which runs in a Mono virtual machine, which each Xamarin-compiled app installs with the rest of application files. As far as I know, the only way reasonable way to create native code for Android is to use Android NDK (http://developer.android.com/tools/sdk/ndk/index.html) and write code in C or C++.

I did some informal benchmarks, comparing Java and analogues code in C# compiled with Xamarin and Dot42, and native code, for a real-life app (text processing). Basically C# from Xamarin was about 10-20% faster than Java or Dot42 on that particular app, while native code was about 5-6 times faster. Read more at:

Does anyone have benchmarks (code & results) comparing performance of Android apps written in Xamarin C# and Java?

Also, to protect my Android Java code from hacking, I use DexGuard obfuscator (http://www.saikoa.com/dexguard). However, I really don’t know how much harder it is for good hackers to de-compile and tamper with such obfuscated code. DexGuard will not protect .NET Xamarin code of course, only Java code or other code compiled for JVM. It won’t even protect Dot42 code, which compiles directly to Dalvik VM p-code (the virtual machine all normal Android apps run in, Java code is also “dexed” and converted to Dalvik code before it can run on Android).

Greg

Answer:

Because Xamarin.Android is JIT’ed it can be decompiled directly back to C#. Just unzip the APK and use ILSpy with assemblies/*.dll. This cannot be done on Xamarin.iOS as it is AOT compiled because of runtime restrictions imposed by Apple.

Rdio.Android