2

I'm trying to release a software I wrote to multiple Computers in several different locations. The Program itself is a Windows Forms Application. To install it I added a setup project which also works perfectly fine. All files get copied to the right folders and the choices the user can make during the installation work without a flaw. But:

The only problem is that the config file, which contains sensible data like for example the SQL connection string, gets also copied / installed on the target computer.

Is there a way to store this data unreadable for the user in the application? I thought about just writing it in a class since the application gets obfuscated but I'm not sure if this is secure enough and if this really is a way to go...

Any help appreciated!

colosso
  • 2,525
  • 3
  • 25
  • 49
  • **-** You should know sensitive parts of application may include: **•** Settings and configurations like connection strings. **•** Business logic and validation rules. **•** Authority to access data and functions. **-** If you relied on obfuscation, you can store sensitive data in application code or encrypted settings files. Obfuscation makes the way hard and bumpy for hackers. But if you want to bring more protection to your application you should consider server-side solutions. – Reza Aghaei Mar 27 '16 at 13:04

2 Answers2

0

It's impossible that the config file/data is only readable for the program but not for the user, because you can decompile the program and search for the conection String, but you can make it to the user as hard as possible. You can also write a php script or something else that checks the request and can block requests from specific ips if the script notice that the user spam requests or send rubbish data. Perhaps it is enough to you also, that you create a new database user which limited write and read permissions has, so that the user didn't have the opportunity to do bad things with the Connection String.

Dominik Viererbe
  • 387
  • 2
  • 12
  • The question is whether you believe that the user will decompile your program to get the connection string? If the answer is no ist ok if you write it in the code. – Dominik Viererbe Mar 27 '16 at 08:25
0

You might cryptographically secure the sensitive file with a private key embedded in code itself with an obfuscation scheme. This is better then embedding all sensitive config data in code since you would not need rebuild-test-release your application when only your config changes.

Theoretically, If an application running in user mode can -anyhow- access the plain sensitive data, so can the user(de-obfuscation, memory dump etc). Since all information needed to generate or decipher the sensitive data is present offline (code, disk, memory), one -with enough skills- can determine the decryption scheme by examining the code (even the machine code)

Think of an application as a user with rapid calculation and massive memory skills so it can de-obfuscate your code on the fly and do the needed calculations to decrypt the "safe" data

Guclu
  • 142
  • 11