Let’s begin with the following statement: “Secrets are not safe to store in your code even if you put them as part of your CI/CD pipeline”.
Disclaimer: this article was not made with bad intentions or to put any app at risk, it is purely for academic purposes and to show that it is not good practice to leave sensitive things as part of our code.
No matter how hard you try to hide something in your app’s code, at the end of the day when you publish them the result is a compressed format (IPA or APK) with all the necessary DLLs to run your Xamarin apps, and if you know about tools like ILSpy for browsing and decompile .NET assemblies is so easy to take those DLLs and look at your typical Constants.cs class.
Before starting the process for both platforms, install ILSpy as a VS Code extension, in that way we could use it on Windows/Linux/MacOs.
Decompiling your favorite Xamarin app from App Store.
Getting the IPA file is an easy process (and legal) if you have the app installed in your iPhone and you have a Mac.
First you need to install Apple Configurator 2, then follow this guide for extract the IPA file.
Now you just need to unzip the file using:
unzip TheNameOfTheFile.ipa
Locate the DLLs you want to decompile/browse the code and open the Visual Studio Code Command Palette (View > Command Palette) then type ilspy to show the commands, choose Decompile IL Assembly (pick file) and open the preferred assembly.
Voilà, just click on any of your picked DLLs to see the code:

With all the code exposed it is just a matter of time for you to find any “secret” string out there.
Decompiling your favorite Xamarin app from Google Play Store.
For Android, the process of getting the APK is as simple as:
- Go to the Play Store website.
- Locate the your app.
- Copy the URL or the package name (it appears in the URL).
- Go to this webapp called APK Downloader and paste the URL or package name.
- Click “Generate Download Link”, the wait and you will get the APK file link.
Repeat the same step we did for the IPA (now pointing to the APK) to unzip the file using:
unzip TheNameOfTheFile.apk
For Xamarin Android apps, the DLLs will be located in a folder named assemblies.
Open the files you want to see the code with ILSpy (same way as we did before).
If the APK that you downloaded was built using a version of the Xamarin.Android SDK launched after May (see PR) you won’t be able to see the DLL content, this is because ILSpy don’t support the new compression format that Xamarin is now using for Android, the lz4.
Don’t worry, I was looking for a solution and I found this Python Script for decompress lz4 compressed DLLs (credit to the people of X41 D-Sec GmbH), just run:
python Xamarin_XALZ_decompress.py YourApp/assemblies/YourApp.dll YourApp.Uncompressed.dll
Then you can open the uncompressed DLL with ILSpy.
Conclusions.
- If you have the option to have your secrets in the server side, PLEASE DO IT.
- Use HTTPS, with a simple network sniffer anyone could look at your app requests and see secrets without even have to do the reverse engineering if you are not over SSL connections.
- Threat public APIs as they are, sooner or later someone will discover this “Secret URL” and will try to use it.
- Obfuscation will just slow the process, there are several tools for deobfuscation and I’m sure you are not ready for accept the costs of maintaining the obfuscated code.
- Start considering security as a feature of all your apps from the initial planning before the development team put a single line of code.
Happy hacking, sorry, happy coding!
Extremely interested in this article
however from what you are saying the only option is to have the secret keys Server Side.
However then how do you secure the URL to the server side if you need keys before authenticating?
Many thanks
Hi Mark, in the use case you are describing for this server, at least the Auth endpoints should be public (for getting an access token).
Thanks for reading.
Thanks for your reply.
But then if endpoint is public potentially anyone could get the keys
This is a big problem really. The only way is to get the keys on ly when authenticated I guess which does not help my usecase.