I am newbie to the web programming. I have been working as desktop application programmer for the last 8 years. Now one of my projects is to create a web application using HTML 5 and some java script that can be live on the cloud as well as downloadable as a desktop application to work offline. I don't need any database to store any data. I am thinking of writing a C# win form application with a web browser control to load the HTML pages and the .js files.
My questions are:
Is it possible to achieve? if so, is there any other way than what I mentioned above?
What about the security concerns such as accessing the files(the html files, java script files, etc)? Whether this can be called into my application from the local hard disk?
If I can run it as a desktop application, how to make sure that the source code is not accessed by anyone in the client machine?
It's achievable, but why you would want to wrap it in a C# web browser control doesn't really make sense to me. With HTML5 you can define cache manifest files to create offline apps that run in any browser that supports it, no need to wrap it with anything as long as the client has a capable browser. They don't even have to know it's an offline app!
Not quite sure what you mean here with regards to security concerns. That's a massive topic. Just use common sense and realize that anything you store on their computers will be accessible by them (e.g. do not give them your public/private key pair or store any passwords or anything you don't want them reading in the files you're sending to them) and use a secure connection to send sensitive data back and forth between the client and your server.
You really can't prevent anyone from accessing the source code if it's on their machine. The best you can do is obfuscate it to a reasonable degree before deployment to make it harder on the person trying to read it.
Related
Hi i have a C# WinForms app. I wrote essential methods on C#. But I need a login form and its not safe since apps like dotpeek can inspect the source code and hack it. Can i communicate with another application that is written in another language (java,c,python etc). I need to send input data from WinForms C# to another app then it should connect to database and check if login succesfull then return a value back to C# WinForms app. Is that possible, how can i implement that? I dont want to write all application in another language since C# has good methods to process images/pixels and gui support with very small memory usage.
I got the point you are trying to make.
One thing to admit is that you can't completely avoid decompiling of apps. C# or C++, no matter anything can be reverse engineered.
If you still need it, a comparatively safer approach is to not put the checking app at the client's machine. Create an API and host the database on a server.
Then initiate just an Http Request to the server from your Windows Forms app.
Then you have the full control of Login API and database. Many applications use OAuth similar to this. Another examples are apps verify it's license using an online API.
You can get a LightSail Windows server in around $10 a month if you want to setup. Try exploring
Your concern is not baseless. C#, or for that matter, any .net language running on the CLR, will be easier to inspect than a language like C or C++.
Having said that, no app will be completely secure, and communicating between apps has its own problems. How does one app verify the other? etc. You can create a web service that would communicate with the database (and communicate with the web service using HTTP or WCF) which would mean your app wouldn't have direct access to the database, but that would only protect the database from your app, it would still allow someone to inspect your app and use the web service, impersonating your app. Also, you would need to host the web service on some web hosting service, and then you would have to trust that service to not inspect your app...
You can reduce the problem by storing the password etc. as byte arrays, but regardless of what you do, I don't know of a way to completely safeguard your app. If a malicious app/actor is on your computer they can inspect your app.
As for your question itself - look into WCF or named pipes (includes a simple example).
I've a web application( ASP.NET WebForms). Now I need to give this application to my client for offline(Installed on Local Server and accessed via LAN) installation. I want to protect this application from being copied.
All I can think of now is:
I should maintain a online server and have a Activation Page which
runs when the Web App is run for the first time, It should connect to
the server and get a valid license against a Key(entered by me in
Web.Config during installation) and machine parameters.
Also, if I code it I need to take care of System Clock and other naive issues.
Now, I have two questions.
Are there any other options to safe guard a web app?
Does the solution I'm planning to code, already exists?
Thanks for reading and trying to help.
:)
No, no, no.. You can't tottaly protect your ASP.NET app like this..
Customer(if want to) can decompile your code and replace your activation methods, so application will allways think that it's "legally activated", or for example he can write fake activation server that will always activate your software... It's not so hard really, especially when your application is based on .NET.
This "protections" main purpose is only to make illegal copies creation little longer to do(for servial weeks or month-two..), so your selling departament can sell many-many copies to legal customers, and losses from illegall usage can be not so huge at project start time.. Or can be huge anyway even with usage of "super-super-super commercial protection product for you apps".. It's depends on luck and populariry of your app..
Only, and ONLY way protect your ASP.NET application with 100% guaranty from illegal copying is.. NOT TO give application to client for local install's at all. Use SSAS-model for selling your app. Or if it's not posible make this for some critical parts of your application.
I am thinking to use Silverlight instead of WPF as Client and WCF as server. Does it make sence?
I guess I will have these advantages:
1) More portable because it's Web.
2) I don't need to validate an user input in both client and server applications.
The third advantage is my main question: I guess the user cannot see my code, so my application would be safe against hackers. Is this correct? This means that if I store a database connection string in Silverlight, no clients will see it, right?
Thanks.
The .xap file in which your Silverlight Application is packaged is only an archive that contains the DLLs of your application (rename it to .zip and see for yourself) so your code can still be decompiled by anyone who downloads the .xap.
As for your 2nd point, you should validate on the server. I could, for example, sniff the traffic and see that your application calls a WCF web service. From there I could make my own requests to your service without using your application. If you don't validate server-side bad things will happen.
Also, the "portability" of Silverlight is arguable, but yes I guess it is more portable than a .exe.
1) More portable because it's Web.
Well you'd have to define what you meant by "web" here. It won't work (unless I've missed something) on iOS (using Safari), or Android devices, or probably some others. It's not "web" in the same way that, say, a pure HTML5 application is "web".
2) I don't need to validate an user input in both client and server applications.
That's only true if the server can "know" that the input really came from the client. If it's just a web request, it could be posted by anything. In my experience you should always validate on the server - client-side validation is there to make life easier for the user; server-side validation is to really enforce business rules.
The third advantage is my main question: I guess the user cannot see my code, so my application would be safe against hackers. Is this correct?
No. The code is running on the user's machine; it will have been downloaded, and can be decompiled like any other .NET assembly.
The assembly can easily be extracted and decompiled also you never can know that a request comes from your application if it runs on the client so do not even think about skipping server validation.
Overview
C# File - Users PC
PHP Server - Hosts Webpages for application
Server and Users PC on local network
I have a c# file that reads weight from a USB scale. How would I trigger this file to run so it feeds into my program. The problem is I am using PHP to host our webpage/application so its not running client side and the scale is not hooked up to the server but to the clients PC.
The C# script would have to be on the clients in order to read the scale so how would I trigger this to happen?
Is this even possible and if not what would be a better way?
Important Edit
I was able to run the Scale Script (C#) when I wanted by having PHP and C# use TCP sockets.
The C# would listen for PHP to send something and when it did it would read the scale and send this information back to PHP becuase PHP was listening for a response. Mixed in with a little Ajax and it updates in the web browser.
Gave Chris Credit because he was the most helpful with answering my questions
It sounds like what you really want is for the client application to submit the data to the website itself, and the most suitable approach is probably to expose a web service from your server.
This service should accept weight data, along with some sort of customer key or whatever, to correlate the records correctly on the server side. I've never created a web service in PHP personally, so I can't give any advice on the implementation of that, but it is fairly trivial to hook a C# client app up to a web service once you've exposed its metadata (assuming you use SOAP).
you can't start C# application from a web page in a way that'll work in every browser every time. BUT, you can have some workarounds:
Use ActiveX component that read the data in the client and upload it to the server. the biggest cons is that it'll only work in Internet Explorer
use Silverlight client application that runs on elevated mode (v4) and upload the data to your server.
refer your clients to download application (the C# application you wrote about) and run it - this application will upload the data to your server.
hope this helps.
C# isn't a scripting language, it's a language that compiles into executable binaries or libraries. You won't be able to execute C# code on the client's computer via a website because C# code needs to be compiled before it can run.
Presumably what you really want is for your compiled C# binary to be executed on the client's machine via your website. You won't be able to easily do that. There are a lot of security measures in place to prevent browsers from running programs on your computer. There may be ways to hack around these security measures by using plugins (such as ActiveX), but it's not something that will be a one-liner.
Edit: I think you need to step back and think about what you're trying to do in a broad sense. You're trying to create a website that can read information from a user's USB port. This is the type of thing that browsers are designed to prevent, and for good reason. I wouldn't want random websites to be able to access peripheral hardware without my explicit permission. If you want this website to function the way you're expecting, you're going to have to seriously think about the security implications. You'll need some kind of client-side code (ActiveX, Silverlight, ...), and the user will need to explicitly give permission to for this all to happen. It won't be easy, and it won't be automatic. And I'm damn glad that's true.
To summarize, as we all know,
a) Silverlight is expected to be hosted by a browser, and runs in an isolated sandbox so that there won’t be any security issues
Silverlight don’t have direct access
to the file system, other than the
isolated storage area
There is no
direct way to open common dialog
boxes like File Save in Silverlight (Though Opendialog box is supported).
b) Silverlight can’t access local resources like a printer
What are the ways to go beyond the sandbox, so that I can host a Silverlight application locally, to read files and save them back if required, to hand over data to a printer, and so on..
Update:
Is full WPF is not an option for me? No. I'm also interested in a cross platform solution - for instance, you could host Silverlight in Mono Web browser control, so that you can run it virtually anywhere.
The idea is to re-use the same application that I'm building for web in my desktop as well, by providing separation of concerns at some areas - like persistence, resource access etc.
Scenarios:
1- Some kind of gadget container, with access to local resources.
2 - A desktop Silver light based media application
Update:
I just did a POC to enable me to access printer and save files locally, of course through a shell where I'm hosting my Silverlight application. If you wan't you can have a look at the post here in my blog
Two ways I can think about is,
Create a "Shell"
Host the HTML Page with Silverlight, in a Winforms desktop application, using a web browser control, and communicate to and fro using HTML DOM. Then I can request the hosted shell to do things like printing. See details here
Mono also has a web browser control - based on FireFox XULRunner instead of IE - not yet succeeded in loading Silverlight inside that. Another option might be using Webkit.
Embed a web server
Embed a light weight web server with in the Host application, and handle requests to perform such operations. You can probably define a protocol on top of HTTP for things like saving to a local folder, sending data to print etc.
Is a full WPF application not an option for your situation?
As you probably know Silverlight uses a subset of WPF so you may be able to change your application relatively easy.
A wpf app would be easier than having a web server etc bundled within your application.
You wont in the foreseeable future be able to have access to resources such as printer and files (apart from isolated storage) through Silverlight as you know.
You could have a seperate part of your app to upload files to the webserver then read these in your silverlight app from a service.
Depending on your printing requirements (e.g. if you just want to send everything to an office printer) you could send the informaton you wanted printed to a service that will then print it for you. However I am guessing you want each client machine to be able to print in which case this wont work for you.
I am attempting to also reuse a codebase for both desktop and silverlight. There are two options that I know of in addition to the ones mentioned
If you directly reference (instead of a project reference) a silverlight dll from a normal project, it should work. This would let you reference a silverlight dll for both projects.
Have two project files (one wpf, one silverlight) that point to the same set of files. You might have to have to use a few compiler flags here and there, but this should let you use the same files for both.