I'm writing an application in C# for a smart device running Windows Mobile 6.1. It's pretty basic. Just querying a database and getting results. Nothing too fancy.
This program is only going to be deployed internally, but we still want to be secure with our SQL connection info.
What's the best way I should go about encrypting/securing my connection string in the program? I've seen examples for .NET programs using AppSettings, but I'm not seeing a Setting stab in my Solution properties.
This is my first time developing an application in C#/Visual Studio 2008, so there might be some kind of setting I'm missing.
Thanks for the help.
Be aware that if it's in your program, then it's inherently unsecure. No matter what you do, if the app has the ability to make that secure connection with info it contains, then that info can be pulled out by an experienced hacker with time and desire.
But are you that concerned about that level of threat? Obviously just throwing it into an app.config file is about as low-security as you get. All that has to happen is that someone opens the file with a text reader and ta-da, they have your credentials.
Maybe you would want to store an encrypted version in the config file and keep a private key in your app. At least a text reader can't "break" it. Of course someone might use reflector and decompile your app to get the private key.
Well you could obfuscate the app. That would make it harder to find that private key. Yes still not impossible.
Maybe you want that private key to be pulled off of a server through a web service or something. Then if someone has the app, they can't get it - though they can always reverse engineer how the web service call is made. Or do a man-in-the-middle and look at the key on the network.
Maybe you could use SSL to protect the transmission. Maybe do MAC filtering on the service to make it more difficult for an unauthorized device to get the key.
You can see the progression here. Each level of security requires more and more work. More and more maintenance. You have to decide what the return on the investment is going to be for your scenario and pick a level of security you're comfortable with for the amount of effort you're willing to spend on it.
Not sure if this helps, but I used OpenNETCF.AppSettings in a previous Windows Mobile 5 project under VS2005.
You can download the Community Edition of the OpenNETCF Smart Device Framework for free at www.opennetcf.com and browse the documentation.
I'm not sure it works with VS2008/CF3.5 though.
Related
I was learning more about ASP.NET MVC, and I decided to to take a course on Udemy taught by Mosh Hamedani, and this course involved me making an application called Vidley. I was able to complete the course entirely, however I came across a problem:
A day or two after I completed the course. My computer caught a virus and I had to reformat the operating system and reinstall everything. I had the application backed up on bit bucket, but the application just doesn't work with the database. When ever I try to create a new user, the application just throws an error. What do I need to do to get the application working with the database again. I tried looking at other topics but I couldn't see anything that covered my specific issue. I am thinking if there is any kind of configuration I need to fix with the database, but I am not entirely sure and I am concerned I will break the code.
It really is upsetting because I was going to add that project to my portfolio, so I could find a job easier. I am wondering what I have to do to get this web application to work with the database again, and where should I deploy it. Should I use a website like app harbor, or is there any other better platform. I am really new at this so I am sorry if I am asking an absurd question.
Please recheck your connection string as you have reinstalled everything even the operating system.
Check your Database server instance is running or not. If not, start that service.
Recheck database name, username and password in your connection string.
I'm about to release a small tool which uses a database connection for storing data. The question is: How can I prevent people reverse engineering my code and getting the Username and Password to gain access to the database?
For earlier projects (which were used only by myself), I defined the connection-string just as a global variable inside my app. But that's highly unsafe as it only takes minutes to get this string out of the exe.
Also a lot of methods to obfuscate code can be reversed.
I am really a big fan of providing code but I don't know what to post. This is more a question about the theory. Coding is the part I'll take care of myself.
Here is a small idea from me which I don't really like that much:
I could place a second tool on the server. The real app would connect to this second tool, give over the data and the second data would finally connect to my database itself. This way the connection-string would be stored inside the second app where nobody can grab it.
The fact of the matter is that storing sensitive information on the client machine is highly vulnerable to attacks against your database. A suggestion you can look into is a Three-tier architecture model for your application (http://en.wikipedia.org/wiki/Multitier_architecture#Three-tier_architecture). In a Three-tier architecture, you have your presentation layer (your application), your logic tier (this layer will be the central pit stop for all your clients will have access to your database), and you have your database layer (the server where your database is). With this architecture, you can ensure all the data being stored and being retrieved from is from a singular source and high level security.
In the past (and still in the present), programmers would have to create their own socket servers or do advance network programming to develop a solution like this, however Microsoft has developed a tool called Windows Communication Foundation (WCF) which takes away the pain of coding your own socket server and lets you focus on developing your own implementation. Be warned though, WCF is secure by default, but it is no excuse not to research into ways of making your product robust against hackers (like knowing what protocol you are going to use, what security measures you are going to use (Transport vs Message, etc), encrypting data on client side so potential viruses don't uncover sensitive informations, etc). In saying that, WCF is a highly polished service and is really easy to get something up and running.
A good beginner video tutorial on WCF can be found here: https://www.youtube.com/playlist?list=PLhq7kqloVlM-bI9W_7iDZhObAeyrFt1y_
EDIT: The playlist for the videos are gone, but the videos themselves are still there. Just search through all his videos looking for the keyword 'WCF'
Here's the link: https://www.youtube.com/user/JesseDietrichson/featured
I recently launched my desktop application and it got cracked after a few days. I posted a question on stack overflow and people said that i cannot stop that. In the start of the software i cannot allow this to happen and i want a solution. So, following is what i am thinking.
Currently, I have desktop application that communicates with the web server to verify the user. Once the user is verified it saves the values in Registry. The hacker has bypassed the communication code and added fake values in registry and he can use my software now.
Now, i am planning to take some of my code from MAIN features of the software to a WEB SERVICE hosted somewhere else on a web server. Whenever the software needs to run that feature the software will give a call to the WEB SERVICE with the values in REGISTRY. I will verify those values and return the results. But if the values will not match my database then i will reject the call.
So, my questions is:
1- Do you think this solution is feasible ?
2- According to my thinking, it will make the software useless to the hacker. What do you think ?
3- Any flaws in this solution ?
You don't have to get cracked. Jeez, everybody thinks there's no solutions available to prevent piracy, but there are. Disclaimer: I work for a company (Wibu Systems) that prevents software piracy and provides license management solutions.
Here's the thing: this (like all security issues) is a highly specialized area of focus and the crackers are smarter at this than you are. They are already familiar with the different home-grown solutions people roll themselves and can crack those quickly.
Commercial solutions (ours is CodeMeter; in all fairness other companies make good solutions too like SafeNet and KeyLoc) rely on strong encryption with multiple layers of protection against key discovery. These companies have spent years developing, improving, and testing their solutions; it's unlikely you will be able to come close to the robustness and quality of such a solution on your own. I can almost guarantee you that any solution you create on your own will get cracked very quickly, unless your product is uninteresting to the crackers.
I'm not trying to create an ad here; I just want to set the record straight. Companies that traditionally got cracked constantly who switched to CodeMeter stopped getting cracked. Check out Propellerhead's Record product for a good example.
Is there any way to stop .NET Reflector working at a program?
For example: I am developing a program that has confidential data (like gMail address and password), and I don't want to someone can see them.
How can I do this?
There are various tools that promise this, via different techniques.
For example, many commercial obfuscators will, in addition to encrypting strings and obfuscating the source, also introduce things into the IL that allow the program to run but which break (most/all) of the current reverse engineering tools like .NET Reflector.
That being said, keeping this type of data within the application will never be safe. The best a tool can do is make it more difficult to get the information, but never make it impossible.
A tool which "masked" it and breaks obfuscation tools is still not perfect - with enough time and energy, somebody can get that information out of your program. If the information is available to the runtime, it's available to somebody with enough determination and drive to find it. As such, important, private information like passwords should not be kept in the executable.
Yes, search for '.NET obfuscator'. There are several tools available.
However, you should never embed your email username / password in the code. This is just wrong. Putting security aside, what would you do if you need to change your email password? Can you upgrade all the copies of your software out there?
Obfuscators tend to offer little in defense of data such as what you are keeping in your application. They are mainly meant to protect the code and logic from being reverse engineered, not literals. A better way would be to have your client application talk to a server-side app that feeds it the data it needs instead of having your client negotiating with the secure servers directly. With this way, you can set up secure method of encryption between your server and client application.
I will soon begin the painful*(kidding)* process of migrating multiple, separate, Access Applications to "Real" applications*(notice the quotes, no flame wars please)*. Most likely this will be Web Apps as the usual reason is multiple users and deployability but I will take it case by case.
Some of these are traditional Access apps using Access as the back end and others are using SQL Server(a central one) as the back end.
What I am looking for is a combination of your experience doing this and what resources you used to help.
Websites, apps, standards, best practices, gotcha's, don't forget's, etcetera.
I am a 1 person C# shop with SQL Server back end so whether Web or not I will be looking that direction.
Also, is it overkill or unattainable to try and develop a Framework for this kind of thing? Would there just be TOO MANY variables to even try and walk this path? Anyone ever try this?
Some further info based on below questions. We currently have ~250 users and they are spread between 5 Locations.
What I meant by deployability is perhaps a little vague. I simply meant that we are a Non-Profit Organization and as such we do not have the best bandwidth available so deploying full apps, even through ClickOnce can be tricky when combinded with the highly fickle nature of my users*(I want that box purple, no green, no get rid of it altogether type stuff...)*.
My idea is to try and develop a "framework", of sorts, that will help to streamline the process of moving an Access App to a .Net App.
Now I fully understand that this "framework" may be nothing more than a set of steps and guidelines; like, Use ORM*(LINQ2SQL or SubSonic)*to generate DAL, Copy UI to corresponding UserControls, rewrite Business Logic.
I am just looking for your experience/expertise to help me streamline my streamlining process... ;)
Those apps which use an Access database to store tables and which need web access should first be upsized to SQL Server. There is a tool from the SQL Server group. SQL Server Migration Assistant for Access (SSMA Access)
Then consider moving to the web only that portion of the app that requires remote access. And leaving the rest of the app in Access. That could save a considerable amount of time.
Alternatively consider going to Terminal Server. That along with a VPN means just some software licensing costs and next to no work on your part.
That said what do you mean by "multiple users" and "deployability"? Possibly we can give you some suggestions there. Access is multi user out of the box. However if you have mission critical data or can't rekey the data in the event of a corruption or have more than 25-50 users on the LAN then you should be moving the data to SQL Server.
Now that it's public Access 2010 can deploy applications to the web. All kinds of very interesting stuff can be done. For more information check the Microsoft Access product group blog or my blog with the appropriate Access 2010 tags
Speaking from experience I think you would need to upgrade on a case by case basis. Upgrading is essentially a re-write from scratch and you should take the opportunity here to re-design as necessary. The type of application structure and code style used for Access (likely to be procedural I'm guessing) is very different to a well designed OO .Net app.
You will be able to re-use the SQL Server databases of course and, depending on the apps maybe even the Access ones. If you're feeling brave you could even try the upsizing wizard although I wouldn't recommend it as we found the results less than ideal.
I would also advise you take a look at some kind of ORM tool (we use Subsonic) as this can massively reduce the amount of boiler plate code you need to write. Some ORM tools will also generate DDL for your database too.
We follow these standards (good idea to pick a standard early on and stick to it we found) and also found this really useful to get up and running.
Hope this was some help.