There are a few programs on the market that you can use to obfuscate your .net code, my question is, how easy is it for someone to get at your IP if your code is "so called" obfuscated.
Is obfuscating .net code merely rubber chicken security? Or is it good enough to really protect your intellectual property rights?
Obfuscation is like a door lock... it keeps the honest people honest.
This completely depends on the Obfuscator.
Obfuscation, in general, does a very good job of making it much more difficult to reverse engineer - but it doesn't prevent it by any means. The CLR will always need to decipher the obfuscated IL, so a dedicated person can always do the same.
However, most software licensing and protection really does two things:
Obfuscation (combined with a proper licensing scheme) prevents both of the above very effectively. It changes a simple procedure to a much more complicated task.
Different Obfuscators offer different levels of protection.
Some free code obfuscation is pretty easy to crack if you have somebody really determined to figure out what your code is doing.
Enterprise level obfuscation, on the other hand, can become nearly impossible to decipher with all the different obfuscation methods they use.
...in the end, though, somebody who really really wants your code is going to be able to figure it out given the time and determination.
Obfuscation should never be confused for security.
.NET Reflector makes it pretty straightforward to reverse engineer most .NET code. You may not get pretty variable and method/method parameter names, but anyone interested in reverse engineering your intellectual property will have enough information to do so.
If you need stringent protection of your intellectual property, consider taking critical parts of your code and only exposing them as web services. Alternatively, consider tools like HASP that add a level of encryption and anti-debugging/reverse engineering protection to your product.
If neither of these is possible ... consider hiring some good lawyers.
Nothing is good enough to protect intellectual rights.. If someone really wants to reverse engineer your app, they can do it.
Your best bet is to put some copyright statements in your code. Obfuscating will help a bit though, as you'd have to put some effort into reverse engineering, meaning that most people wont take the time to do it.
Another step could be to JIT compile it.
If you're creating a public API, make sure you have some great xml-comments on the public methods, or even better, don't obfuscate the parameters there :)
It's easy enough for anyone determined to get your ip.
As far as "security" goes, security through obscurity is only slightly more secure than no security (which is actually more secure than bad security).
My rule has always been: Keep the Honest People Honest. Make sure you have your IP legally protected with patent applications, and have a lawyer draft up a competent Terms of Use/EULA. Use a decent obfuscator to prevent casual poking around, but realize it's not a one-shot-fix-all solution.
Unfortunately, if someone is determined to reverse engineer your code, they can do it, and they will do it.
