2

I have developed a .Net 3.5 windows forms application. I also want to design a website that has a webservice with multiple Webmethods to query the database on the host machine. I want the webservice to be called ONLY through my winapp and my website! And I don't want any other people to be able to call and use my webservice but only some people who have access to the windows application that I have developed.

I need a good security scenario for this! I truly appreciate anyone who can help me because this is my first experience of developing a webservice and I really need it to be as secure as I mentioned!

rmtheis
  • 5,992
  • 12
  • 61
  • 78
gwt
  • 2,331
  • 4
  • 37
  • 59
  • Do you have an existing method of authentication between the windows form app and the database now? – Eric H Aug 15 '12 at 21:19
  • @EricH Ofcourse I authenticate anybody who wants to use the winapp and user's username and password are in the database on the host machine . – gwt Aug 15 '12 at 21:22

1 Answers1

3

What you're talking about is going to be difficult to do for several reasons, but primarily this:

If you put anything in code on your WinForms app, it can be decompiled very easily. You can obfuscate the code all you like, but it can be de-compiled.

Because of that, any code that you have in your app can be read by anyone with access to the code. You should always treat any WinForms app as if it's completely compromised, and ensure that the security at the server end compensates.

Because of this, you can't simply store usernames and passwords in configuration files or in code. You have to come up with something else. You CAN use authentication and prompt the user to enter a username/password on program launch, and use that. However, people tend to share these things, so you may want to go for extra protection.

You can put the connection info, or secrets into the app.config and encrypt it, but anyone who can de-compile the code, can recompile it, and add code to decrypt it at will.

You can provide signed keys with your app, and use that in an authentication mechanism, but that can be bypassed.

You can restrict your IP address to specific IP addresses, but those can be spoofed.

However...

By layering all of the above techniques, you can make it difficult for an attacker to bypass your precautions. We did the following in one of our apps where we had a similar requirement:

  • We set up a database that holds a GUID record for each authorized customer, and IP addresses allowed for that customer.
  • Every web method expects a CustomerKey parameter. (the guid mentioned above) Each call to a web service checks the key against the IP address.
    • If it matches, valid data is returned.
    • If it fails, valid looking data is returned. We actually return what looks like good data, but it's really not. This makes it harder for an attacker to know if they've actually broken through the defenses.
  • In the WinForms app, the key is stored in the app.config, which is encrypted in the main() event (the entry point for WinForms apps). This is to prevent the casual reader from accessing it.
  • The program is launched automatically on install, so that the encryption happens at startup, to minimize the chance someone can read the file before it's encrypted.
  • Also, the code is obfuscated.

Layering the defenses, hopefully, will discourage the average attacker.

Microsoft has some guidelines as well: http://msdn.microsoft.com/en-us/library/ff648643.aspx

David
  • 72,686
  • 18
  • 132
  • 173
  • Thank you so much for your good explaination sir ! It made many things clear for me ! could you give more explenaition about how to store and encrypt the key in app config ? and If the local machin which the winapp is running on is so secure that no one can access and decompile my code then would It be wrong if I save the GUID in my code ? – gwt Aug 15 '12 at 21:39
  • Oh and about the valid looking data ! how can I myself undrestand If the returning data is real or valilooking ?!!! – gwt Aug 15 '12 at 21:40
  • right now I thought about It , Can I send an email to the admin (who is myself in this case:D ) explaining that a valid looking message was sent to a trudy client containing his ip ?! is this a good way ? – gwt Aug 15 '12 at 21:51
  • http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx – David Aug 15 '12 at 22:38
  • I send back data that is bogus but looks real if an unauthorized access occurs. So the attacker THINKS he's got real data, but in reality, it's all just made up. For example, if the service is returning employee information, streeet addresses, etc. I would send back made-up names, and addresses that look real. – David Aug 15 '12 at 22:39