Often Blazor Server is being preferred to Blazor WebAssembly for avoiding the exposition of the application dlls in all users’ browsers. The violation of the application dlls not only challenges the software copyrights but enables also an easy implementation of phishing attacks.
In this talk, I will describe techniques for preventing both reverse engineering and the usage in other web applications of the Blazor dlls exposed in the users’ browsers.
The main idea behind the proposed protection techniques is a cryptographic proof of identity of the server that distributes the Blazor WebAssembly application. While it is impossible to enforce security on the client-side when this proof of identity is combined with other tricks like "code obfuscation", "strings encryption", and "hashing" it can decrease the risk at an acceptable level.
All techniques described in the talk have been already used in actual commercial products.