0

I am developing an app (in windows phone 7) that manages basic data: customer data (or contacts) and orders

I want to protect the credentials to access to the database. I want to do the following:

xxx.dll

I have put the credentials in the dll (obfuscated)

zzz.dll

In other DLL (obfuscated too) I do this:

when you install the application: I read the credentials in xxx.dll and stored them in an encrypted file (using DPAPI)

In this DLL (zzz.dll) I have a function to return decrypted credentials (using DPAPI). This func is called in the app

aco
  • 819
  • 4
  • 15
  • 32

1 Answers1

1

Every free app in the marketplace can be downloaded (eg http://mktwp7.codeplex.com/) and reverse engineered (eg http://www.ilspy.net/). If you want to store your credentials somewhere in the code, it cannot be secure (if someone invests enough time). You will always have only security through obscurity (see http://en.wikipedia.org/wiki/Security_through_obscurity). I recommend using a proxy (web) service without credentials in your app. This service stores the credentials and connects to your database. This way the credentials are secure.

Rico Suter
  • 11,548
  • 6
  • 67
  • 93