Decompiling C# assembly files
Xamarin applications compile C# code into Intermediate Language (IL) assemblies, which are packed inside the mobile package as files like Assembly-CSharp.dll.
Unlike native binaries, .NET metadata is fully preserved. During an audit, we unzip the APK or IPA, find these DLLs, and load them into decompilers like ILSpy, dnSpy, or dotPeek.
This disassembles the files back into readable C# source code. We check this code for:
- Hardcoded connection strings, API gateway keys, and encryption secrets.
- Logic flaws in input forms or local database queries.
- Debug variables that can be modified to bypass local controls.
API key recovered from Xamarin DLL file
During an audit of a corporate logistics portal built on Xamarin, we decompiled the C# assemblies. We recovered a database connection string containing a raw password. This database was shared with the production tracking systems, allowing us to read shipping logs and customer addresses.
Hijacking C# logic at runtime
With tools like dnSpy, we can edit C# code directly inside the DLL assembly, recompile it, and package it back into the application.
If your application uses client-side checks to verify if a user has paid, we can edit the verification method to always return true. We then sign the patched APK with our own development key and run it. To protect against this, developers must configure server-side validations.
Xamarin Security Checklist
If your application uses C# or .NET MAUI, apply these controls:
- Use dotfuscator or ConfuserEx: These tools scramble the .NET assembly structure, making it harder for decompilers to parse class names.
- Backend validation: The server must handle all state checks and balance changes. The mobile app should only display what the server confirms.
- Secure storage configurations: Save session identifiers and security tokens inside KeyStore/Keychain configurations, not in local text files.
Let Simpa Labs audit your C# app
Legacy systems and enterprise applications built on Xamarin have a large attack surface. We will decompile your assemblies, test your APIs, and check your security configurations.