0

I'm about to release a small tool which uses a database connection for storing data. The question is: How can I prevent people reverse engineering my code and getting the Username and Password to gain access to the database?

For earlier projects (which were used only by myself), I defined the connection-string just as a global variable inside my app. But that's highly unsafe as it only takes minutes to get this string out of the exe.

Also a lot of methods to obfuscate code can be reversed.

I am really a big fan of providing code but I don't know what to post. This is more a question about the theory. Coding is the part I'll take care of myself.

Here is a small idea from me which I don't really like that much:
I could place a second tool on the server. The real app would connect to this second tool, give over the data and the second data would finally connect to my database itself. This way the connection-string would be stored inside the second app where nobody can grab it.

Hayden
  • 2,902
  • 2
  • 15
  • 29
C4d
  • 3,183
  • 4
  • 29
  • 50
  • Most people will store user settings in a settings file. Sometimes, user-specific. Sometimes, machine-specific. If these settings contains sensitive data, the values are encrypted. – snow_FFFFFF Jan 03 '15 at 14:47
  • 1
    Yeah I've read the before. But to use the encryted strings, I would need to decrypt it. This method "how to decrypt" would also be stored inside my app. Again a possible way to get through it dont you think? I hope to spread this tool for at least 100-200 people. So the risk is there. – C4d Jan 03 '15 at 14:49
  • 3
    Your idea can be implemented as a web service. You don't want to allow external connections to your database. – CodeCaster Jan 03 '15 at 14:53
  • What about listening to the data send over the network? You will be able to see the password then too. CodeCaster is right : use a Web service. – Patrick Hofman Jan 03 '15 at 14:53
  • @PatrickHofman: SSL is the point. Thats also a part I already thought about. – C4d Jan 03 '15 at 14:55
  • @CodeCaster: Thanks for this. Already picked out some tutorials about asp.net. Let me see what I can get. – C4d Jan 03 '15 at 15:15

1 Answers1

1

The fact of the matter is that storing sensitive information on the client machine is highly vulnerable to attacks against your database. A suggestion you can look into is a Three-tier architecture model for your application (http://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture). In a Three-tier architecture, you have your presentation layer (your application), your logic tier (this layer will be the central pit stop for all your clients will have access to your database), and you have your database layer (the server where your database is). With this architecture, you can ensure all the data being stored and being retrieved from is from a singular source and high level security.

In the past (and still in the present), programmers would have to create their own socket servers or do advance network programming to develop a solution like this, however Microsoft has developed a tool called Windows Communication Foundation (WCF) which takes away the pain of coding your own socket server and lets you focus on developing your own implementation. Be warned though, WCF is secure by default, but it is no excuse not to research into ways of making your product robust against hackers (like knowing what protocol you are going to use, what security measures you are going to use (Transport vs Message, etc), encrypting data on client side so potential viruses don't uncover sensitive informations, etc). In saying that, WCF is a highly polished service and is really easy to get something up and running.

A good beginner video tutorial on WCF can be found here: https://www.youtube.com/playlist?list=PLhq7kqloVlM-bI9W_7iDZhObAeyrFt1y_

EDIT: The playlist for the videos are gone, but the videos themselves are still there. Just search through all his videos looking for the keyword 'WCF'

Here's the link: https://www.youtube.com/user/JesseDietrichson/featured

Hayden
  • 2,902
  • 2
  • 15
  • 29