-3

I have a small C# desktop application. It connects to postgres db server. I will distribute this application to some users.

Now my question; Is someone can get my connection string (username, password) with local port listener software or any other software?

If answer is yes, how can I prevent this?

Thank you.

Evren
  • 1
  • use SSL?................... – Mitch Wheat Sep 14 '13 at 01:05
  • Anything written in .NET should **never** contain sensitive data. Anyone can decompile it. What you need to do is encrypt the username and password with something _very_ strong. You will also need to obfuscate your executable to oblivion. Try decompiling .NET Reflector. What can you make out regarding method names? Nothing. – Cole Tobin Sep 14 '13 at 01:09
  • @Cole, your solution is nothing but a Russian doll. At best it is security through obscurity. – Kirk Woll Sep 14 '13 at 01:42
  • @Kirk better than nothing though. – Cole Tobin Sep 14 '13 at 01:58
  • @ColeJohnson makes a good point, though its outside bounds of OP. The answer is possibly. But packet and network sniffing are outside the domain of SO. And to follow up on Cole's point, web services allow you to use a db without disclosing connection information. – Dave Alperovich Sep 14 '13 at 06:56
  • 2
    This question appears to be off-topic because it is about packet sniffing / network peeking rather than coding – Dave Alperovich Sep 14 '13 at 06:56

1 Answers1

3

Yes. Your application could be decompiled and your app.config could have the password.

You could use an SSL connection and encrypted app.config.

Ideally, you could have a master service that would own talking to the database and your child applications would be clients.

Daniel A. White
  • 187,200
  • 47
  • 362
  • 445