I am using c# (VS2010 FrameWork:v4.0) and SqlServer 2012 to build an application. I searched online to find ways to prevent copying this system and I thought the only part that needs to be protected from copying is the database.
I would like you to provide me with some advises about the issue. And I need answers/opinions about the following :
Do I need to protect also the application (executive file) from copying with the database? If yes, does this mean I have to provide the user with a new copy to install it if the user looses the application files?
One Idea I have in my mind to protect the DB is to save some passwords/keys in DB (in the form of varbinary) and when the device is logged in (runs the app) the application checks for (the MAC address) of the device if it is not saved then the app asks for a key. once the key is used, the device mac address is saved with the key. Is this a right thing to do? is there any advice about it?
If I need to protect the app part from copying, is there any idea how to do it?
I have also read about installing SQLExpress on client PC and That should protect the DB files from manipulation, so I have to provide a way to upgrade/ update DB scripts in the future rather than replacing client's DB with a new one. And I thought to provide a form in the app protected by a password, and I can write a script in a textbox in the form (__For Example: Alter Proc_ ...), and Save it. Can I do this? or would that be a stupid thing to do?
Thanks in advance
You cannot. Any claim to the contrary is snake oil.
The only way to protect your application is to offer it as a service, hosted on hosts you own/control.
To find a way to prevent user from using APP+DB without my permission(for example registering using keys)
It is possible to create licensing schemes where the application runs only on the designated hardware. Your application takes the host fingerprint (eg. net MAC), uploads it to a service you host, you sign the fingerprint with a private key and provide the signature to the application, then the application validates the fingerprint signature using the embedded public key and runs the application. While this sounds doable, there is a number of ways this can and often does go wrong. Users change the fingerprint frequently (eg. hardware update). Fingerprints are difficult to enforce on virtualized environments (VMs can edit their MAC). It is very difficult to harden application code against a moderate hacker willing to attack and bypass your protection, and basically impossible to harden it against a skilled hacker.
But you have also asked about the database and tagged the question sql-server. To that part I can only double down on my previous answer: It is impossible to protect a database against being accessed and/or modified by a on-site administrator, at will. There are secure ways to audit access and modifications to the database, so you can prove tampering and act accordingly (refuse support or charge extra). But you cannot prevent it.
Ultimately what you're asking for is DRM.
Related
so I have a bundled software that a client can download and install (using an msi on win machines).
part of this software is a mongoDB database, that stores client info, configurations, etc..
When the software is first installed, it creates an empty folder for the mongoDB, and whenever the software starts, it starts a mongod process (using C#'s Process.Start()): mongod.exe --dbpath <path> --port <port> --quiet.
My goal is to secure the mongoDB database with a username / password that will be known only to my application.
this will help prevent tampering with my client's data from the outside, as well as make it harder (but not impossible, see below) for the client themselves to tamper with the application's data.
The general idea, I guess, is that on installation (or on startup), to create a user with read / write privileges which my software will use to communicate with the database.
So My questions are:
1. How do I programmatically do this? I guess this is the right direction, but I couldn't find much info on the c# driver docs
2. How do I deal with upgrades? i.e clients who installed a previous version of the software, where the database is not secure at all; i would like to create a user with a password in that case as well.
3. how do I store the application user's credentials in my application? in a config file? but that can be read by the client. any best practices here?
versions info- (unfortunately, because of my company's issues, we're not using the latest product versions); mongoDB 2.6, mongoDB driver for .net 1.5.0.
thanks!
P.S. I have read through the security section on the mongoDB website, but wasn't able to find a simple example for the use case I'm trying to implement.. maybe I'm just missing something simple here..
This is kind of an interesting, unusual use case.
First of all, I want to make sure you're aware of the licensing/copyright implications of bundling MongoDB with your software. You should check out the license section of the mongo project GitHub page and read up on the AGPL.
Second, the easiest part of your question:
how do I store the application user's credentials in my application? in a config file? but that can be read by the client. any best practices here?
This goes beyond MongoDB. If a user owns the system that the mongod process is running on, they could just copy the data files and set up a no-auth mongod on top of your application data. You cannot reasonably stop them from doing things like that, so do not count on your application's data to be secure from the client user. Plus, if you install your application code locally, any decently smart and committed person should be able to extract the username and password from the compiled application code. You can make it hard, but not impossible.
Third,
How do I programmatically do this?
Based on what I just said, I'm taking "this" to mean
on installation (or on startup), to create a user with read / write privileges which my software will use to communicate with the database.
not the part about having it be secure from the person who owns the computer it's installed on, because that's not possible. To do this, I'd either package a mini datafile to start the mongod on top of, one that included users set up already, or include a dump that you use something like mongorestore to load into the mongod after you start it up. The first option is way simpler to implement and should not require you to have to take down and respawn the mongod process, so try that - see if you can set up a mongod with auth how you want it and then transplant user info by copying data files. FWIW, I'm pretty sure the passwords are not stored in plain text in the data files (they are salted), so you won't have that directly exposed from the data files.
Finally,
How do I deal with upgrades?
You'll have to take down their mongod, restart it with auth, use the localhost exception to create the users you need, turn off the localhost exception (optional but why not), and then end that connection and start new ones using auth. It's the same process as in the security tutorials, you just have to do it with C# driver commands. Note that moving between MongoDB versions is also tricky as the seurity model has improved over time, so you should consult the upgrade guide for extra things to do to make sure user schema gets upgraded correctly if you are moving a user from a secure 2.6 to a secure 3.0, say.
C# driver connectionstring can accept login credentials for the database.
mongodb://username:pwd#server:port/dbname
for ex
mongodb://myuser:mypassword#mydbserver:30254/mydb
The best way is to store the data in a config file. If you are worried about exposing it, it can be encrypted and stored. Other less likely option is to store in a resource file and reference that as a string.
I am a bit new to C# program language, I will like to know how to secure my C# desktop app from being redristibuted on various systems without my permission. I have seen some possible solutions but I will want your advice
Create a web activation system where a pin/unique code is issued before every install
Create an online install system that allows people to install directly from a website without downloading the setup
Please help advice on the best option to take(I'll love to use the first option if it is possible with php/mysql because I am not good with asp.net)
Well you can't instal a program without a setup file. You need some small setup file that would download the actual setup file from your setup, that is how I see most programs being installed.
Normally on a server you have options to download full setup file (big setup file that contains all the installation data) and online setup file (small file that requires internet connection during installation).
And it doesn't really mater do you use php or asp.net on your server, because the only thing that matters is what your script does on the server.
How your validation would work is that your setup file before installing your program would require the user to insert the validation key and it would send it to the server. Your php script will search the mysql table and if it finds that key it would tell your setup file that password is ok and it would mark that key as "used" in your mysql table. Otherwise the user would have to reenter the key.
The answer to your question depends on the level of protection you would like to implement.
The simplest one is just to implement a product key protection without any need for online activation: in this case the keys should be selected/validated by certain algorithm that you include in your program. It's not a really good protection because the same key might be used for multiple (theoretically infinite) product installations.
More robust protection could be achieved with online product key activation. In this case you can specify the number of activations per key (e.g. 5), thus preventing the same key to be overused.
There are plenty of info in this regards addressing the practical aspects of such key protection.
Rgds, AB
You can do the following:
After installing and starting the app, the app generates a user key based on physical system attributes like MAC Address/Serial No. etc.
The user is prompted to enter the corresponding license key to activate the product.
The user either using a web app or over phone or email, provides the user key and requests for corresponding license key.
You will have some algorithm to generate unique licence key from user key which the app can validate.
Upon receiving the licence key, the user enters the same in the app and starts using it.
Installing the app on a different machine changes the user key and the app will not work.
I have developed a .Net 3.5 windows forms application. I also want to design a website that has a webservice with multiple Webmethods to query the database on the host machine. I want the webservice to be called ONLY through my winapp and my website! And I don't want any other people to be able to call and use my webservice but only some people who have access to the windows application that I have developed.
I need a good security scenario for this! I truly appreciate anyone who can help me because this is my first experience of developing a webservice and I really need it to be as secure as I mentioned!
What you're talking about is going to be difficult to do for several reasons, but primarily this:
If you put anything in code on your WinForms app, it can be decompiled very easily. You can obfuscate the code all you like, but it can be de-compiled.
Because of that, any code that you have in your app can be read by anyone with access to the code. You should always treat any WinForms app as if it's completely compromised, and ensure that the security at the server end compensates.
Because of this, you can't simply store usernames and passwords in configuration files or in code. You have to come up with something else. You CAN use authentication and prompt the user to enter a username/password on program launch, and use that. However, people tend to share these things, so you may want to go for extra protection.
You can put the connection info, or secrets into the app.config and encrypt it, but anyone who can de-compile the code, can recompile it, and add code to decrypt it at will.
You can provide signed keys with your app, and use that in an authentication mechanism, but that can be bypassed.
You can restrict your IP address to specific IP addresses, but those can be spoofed.
However...
By layering all of the above techniques, you can make it difficult for an attacker to bypass your precautions. We did the following in one of our apps where we had a similar requirement:
We set up a database that holds a GUID record for each authorized customer, and IP addresses allowed for that customer.
Every web method expects a CustomerKey parameter. (the guid mentioned above) Each call to a web service checks the key against the IP address.
If it matches, valid data is returned.
If it fails, valid looking data is returned. We actually return what looks like good data, but it's really not. This makes it harder for an attacker to know if they've actually broken through the defenses.
In the WinForms app, the key is stored in the app.config, which is encrypted in the main() event (the entry point for WinForms apps). This is to prevent the casual reader from accessing it.
The program is launched automatically on install, so that the encryption happens at startup, to minimize the chance someone can read the file before it's encrypted.
Also, the code is obfuscated.
Layering the defenses, hopefully, will discourage the average attacker.
Microsoft has some guidelines as well: http://msdn.microsoft.com/en-us/library/ff648643.aspx
I'm writing a database driven windows application and both the executable and database need to be installed on the customers machine.
Is there a database that I can use as a backend to my application that the user can't get into even though the user is using the same machine that the database is stored on.
As far as I can tell, Postgres won't work for this, and the versions of access that I have tried are easy to get the crack the passwords for.
My application has to be able be installed on a laptop and be useable even when there is no internet access, so the usual client-server database models just don't work.
I have considered using a VMWare virtual appliance with Postgres installed on some version of linux, but this would have a pretty heavy system load.
I would prefer to not have to use encripted text files or something like that.
Since users (or hackers) own the machine, there is nothing you can do to make it secure. Anything you try will fall into a category called Security Through Obsecurity.
Your best bet is to encrypt your database and try to hide the key in some obscure place in your binary. Since this is an installed application, don't use Database servers. Just use a DB library like Postgres.
How critical is the data? Encrypting data on your system using standard RSA or AES with a key stored and encrypted in your application will keep your mum and dad user away.
But if you can't keep the secret out of the client application, then you're going to have trouble here.
There's a couple of options available to you, depending on your budget.
First, I have used SQL Server Compact Edition 3.5 with a .NET program for doing a local database that was encrypted. The good news was that the file was encrypted and could only be accessed if you had the password. The bad news of course is that your password will probably be in your connect string, unless you do something like a seeded PRNG to generate up the password for you. Also, SSCE requires that it be installed independent of your application -- if for any reason the user uninstalls it through Control Panel, your application won't run.
Second, I have also used a commercial product called VistaDB, and it also supports local database files that are encrypted. There are comparison features of VistaDB versus other database engines available on their website -- but another thing they offer is that they don't have a runtime that has to be preinstalled -- you just add another assembly to your distribution (they claim you can statically link it, but I haven't tried that personally). The local file on disk is also encrypted with VistaDB, and without the password you can't access the underlying database.
Good luck!
Alright so here is my issue. I'm working a game engine that will eventually be multilayer. this engine allows games to be written in either a .Net language or Lua (the built in scripting engine). For security however I'd would like to prevent people from viewing these files and of course prevent them from editing them. My solution was to make a Virtual File System with encrypted headers. This way it would be difficult to discover the contents of the game data files, and if somehow someone did, they wouldn't be able to edit them without the key otherwise it would be invalid.
Another issue with the current game is that it connects to a SQL data to get certain data, this means the DB connection string and password is stored inside the application.
However, how do you deal with storing passwords inside a .Net application? I know for a fact that they can be decompiled and it wouldn't make sense to store secret keys inside a readable configuration file so how do most professionals do it?
Typically client applications do not directly connect to the database. Instead the connect to a server which handles the remote calls on behalf of the application. In such a scenario the only thing that needs the password to the database, is the server.
In modern .Net world the server is usually built using WCF