Decompressing and decompiling Xamarin assemblies
Auditing a Xamarin application begins by extracting the .NET assemblies from the package. In Xamarin Android applications, the DLL files are often compressed using assemblies compression. We decompress them using tools like xamarin-decompress or custom python scripts before analysis:
# Unzip the APK
unzip app-release.apk -d extracted_app
cd extracted_app/assemblies/
# Decompress Xamarin assembly DLLs
python3 decompress_xamarin_assemblies.py UserInterface.dll UserInterface.decompiled.dll Once decompiled, we load the assembly files into dnSpy or ILSpy. Because C# compiles to Intermediate Language (IL), decompilation yields near-original source code, exposing database connection credentials, encryption keys, and business logic flaws.
Dynamic analysis and Mono runtime hooking
During dynamic testing, we hook the Mono runtime. Since Xamarin wraps native iOS/Android code inside the Mono virtual machine, standard native hooking scripts for Android (Java.use) or iOS (ObjC.classes) won't intercept C# method execution. We use Frida scripts that target the Mono library directly:
const mono = Module.findExportByName("libmonosgen-2.0.so", "mono_runtime_invoke");
if (mono) {
Interceptor.attach(mono, {
onEnter: function (args) {
const method = args[0];
const methodName = getMonoMethodName(method);
console.log("[Mono Audit] Invoked C# Method: " + methodName);
}
});
} Common Xamarin vulnerability vectors
Our penetration tests regularly identify these high-severity findings in Xamarin setups:
1. Hardcoded Cryptographic Keys
The Flaw: C# developers place AES encryption keys, API secrets, or database passwords in static configuration classes. Because IL decompiles cleanly, these keys are instantly visible to reverse engineers.
The Fix: Never store keys in the source. Use Key Vault services or dynamically fetch session-bound keys from your backend after successful multi-factor authentication.
2. Insecure SQLite Storage
The Flaw: Using unencrypted SQLite databases (e.g., SQLite-net) to store user data locally. The databases are stored in plain text in the app sandbox.
The Fix: Implement SQLCipher to encrypt the local database at rest, utilizing keys secured in the Android Keystore or iOS Secure Enclave.
Hardcoded client secrets in bank app
During an audit of an enterprise Xamarin banking app, we decompiled the core utility assembly and discovered the merchant client credentials and the HMAC key used to sign transaction payloads. An attacker could extract these keys and sign arbitrary transaction requests. Fix priority: critical. Remediated by implementing dynamic transaction signing on the server and removing all static keys from the app bundle.
Running legacy Xamarin or .NET MAUI mobile applications? Schedule an audit.
Book a Xamarin PentestFrequently asked questions
Where is the application logic stored in a Xamarin app?
Unlike native Android (Dex bytecode) or iOS (compiled Mach-O binaries), Xamarin compiles application logic into standard .NET DLL files. These files are typically found in the Assemblies directory of the unzipped app container.
How do security auditors decompile Xamarin DLLs?
We extract the DLLs from the APK/IPA and load them into .NET decompilers like dnSpy, ILSpy, or JetBrains dotPeek. This reveals the C# code, including database connection details, API configurations, and custom logic.
Can certificate pinning be bypassed in Xamarin?
Yes. Xamarin applications using ModernHttpClient or HttpClientHandler can have their certificate pinning bypassed using Frida scripts that hook the Mono runtime or the underlying native networking libraries.
Related reading
Blog: React Native pentesting guide · Reverse engineering Android apps · Hardcoded keys in mobile apps
Services: Mobile penetration testing · Secure architecture review