Computerworld

Protecting .Net apps from would-be plagiarisers

There's vulnerability in code, some say
  • Eric Lai (Unknown Publication)
  • 10 August, 2008 22:00

Keeping software from being broken and distributed via BitTorrent isn't the only kind of piracy about which developers need to worry.

For developers using languages such as Sun Microsystems' Java and Microsoft's .Net, there is the vulnerability of their applications to copycat coders, according to Kenji Obata, CEO of Xenocode.

Programs in .Net contain rich metadata that make them easy to de-compile into human-readable source code using free, off-the-shelf tools, for which "the only thing missing are the comments", Obata says.

Obata's firm sells an app, Postbuild, that "obfuscates" .Net code to protect it from prying eyes, doing things such as renaming metadata into meaningless characters and watermarking the .Net code.

The latest version, Postbuild 2008, is compatible with the .Net 3 and 3.5 runtimes, Visual Studio 2008, and closely-associated Microsoft technologies such as Windows Presentation Foundation (WPF) and LINQ.

Postbuild is used by about 100,000 developers, Obata says. While protecting .Net source code was Postbuild's original key capability, a newer feature — the ability to create lightweight, virtualised .Net application packages — is also gaining fans, he says.

Apps in .Net only run when the corresponding version of the .Net framework is installed on a PC. Despite Microsoft's exhortations, not all enterprises are eager to upgrade to the latest .Net 3.5 framework. For one, it takes up almost 200 MB of storage and requires plenty of CPU power to run.

Most companies are still on .Net 2.0, released almost three years ago and about one-tenth the size, according to Obata, with many having PCs still running .Net 1.1, which was released more than five years ago.

Postbuild enables developers or IT managers to create .Net packages that contain both the app and the right version of the runtime, along with any code libraries or dependencies. This sidesteps the .Net runtime compatibility problem. The packages are also compressed on average by half, too, Obata says.

Postbuild is basically offering a form of application virtualisation. It differs from better-known products such as Microsoft Application Virtualisation (formerly SoftGrid) or Altiris SVS, according to Obata, by being able to work with multiple vendors, not requiring the installation of any device drivers, and not being linked to any server software.

It differs from full hardware virtualisation such as VMware's ESX or Microsoft's Hyper-V, which virtualise the hardware and operating system layer, creating packages that are slower to run, bigger to store, and more costly (since more software such as the OS may need to be licensed).

Xenocode has also made this application virtualisation capability available for all types of applications, not just .Net ones, in a separate product called Virtual Application Studio.

Obata says demand is coming from companies discovering their enterprise apps breaking when upgrading from XP to Windows Vista, due to new features such as User Account Control (UAC).