Alright so here is my issue. I'm working a game engine that will eventually be multilayer. this engine allows games to be written in either a .Net language or Lua (the built in scripting engine). For security however I'd would like to prevent people from viewing these files and of course prevent them from editing them. My solution was to make a Virtual File System with encrypted headers. This way it would be difficult to discover the contents of the game data files, and if somehow someone did, they wouldn't be able to edit them without the key otherwise it would be invalid.
Another issue with the current game is that it connects to a SQL data to get certain data, this means the DB connection string and password is stored inside the application.
However, how do you deal with storing passwords inside a .Net application? I know for a fact that they can be decompiled and it wouldn't make sense to store secret keys inside a readable configuration file so how do most professionals do it?
Typically client applications do not directly connect to the database. Instead the connect to a server which handles the remote calls on behalf of the application. In such a scenario the only thing that needs the password to the database, is the server.
In modern .Net world the server is usually built using WCF
Related
As I developped a WPF .NET Core Application that interacts with an online MySQL Database using EntityFramework, I noticed I had absolutely no way of protecting my Database from being read or modified using the easily accessible connection string if my app was deployed and someone code reversed it.
I searched a bit and found these few possible solutions:
Storing the connection string in an encrypted app.config using aspnet_regiis (but .NET Core seems to be more oriented on .json configuration files, and therefore cannot be encrypted using aspnet_regiis)
Obfuscating the source code using an c# obfuscator like ConfuserEx (if I understood correctly it's just making the connection string harder to read, but it remains possible to get it and mess with the DB right?)
Building and interacting with API instead that would do the changes to the DB (but even then how to make sure the API requests are truly coming from my WPF app and not from a malicious user?)
If you know any more precisions about these solutions or perhaps have another way of making it secure and safe to connect to an online Database, detailed steps/links are very welcome!
Building and interacting with API instead that would do the changes to the DB
This would be the recommended approach.
(but even then how to make sure the API requests are truly coming from my WPF app and not from a malicious user?)
You can't really.
When you embed some kind of access key or a public URL in a client application that you expose publicly, you basically accept the fact that it may be exposed. You should assume that a malicious user can extract the key/URL from the client app regardless of any obfuscation.
The service may reject requests from IP addresses that it considers to be misusing the API but it will still need to handle those requests.
Managing a public API is not trivial. You may want to consider hosting your app in a managed cloud.
After some researches and tests, I found that the proper way to prevent a malicious user from reading and messing up with the connected database (even if he gets access to the connection string) is by Limiting my app to only execute Stored Procedures that will give the minimum data required. And for stored procedures that will read or change a user's sensitive data, also by having in their required parameters the user's secret token, which would be a random string generated in SQL the same time the user registers.
The only issue remaining is if the hacker spams requests to try to bruteforce (even if it's almost impossible to bruteforce a very long and safe token), it might still makes the MySQL server overload or even crash. To prevent that from happening the only solution seems to use an API.
I am using c# (VS2010 FrameWork:v4.0) and SqlServer 2012 to build an application. I searched online to find ways to prevent copying this system and I thought the only part that needs to be protected from copying is the database.
I would like you to provide me with some advises about the issue. And I need answers/opinions about the following :
Do I need to protect also the application (executive file) from copying with the database? If yes, does this mean I have to provide the user with a new copy to install it if the user looses the application files?
One Idea I have in my mind to protect the DB is to save some passwords/keys in DB (in the form of varbinary) and when the device is logged in (runs the app) the application checks for (the MAC address) of the device if it is not saved then the app asks for a key. once the key is used, the device mac address is saved with the key. Is this a right thing to do? is there any advice about it?
If I need to protect the app part from copying, is there any idea how to do it?
I have also read about installing SQLExpress on client PC and That should protect the DB files from manipulation, so I have to provide a way to upgrade/ update DB scripts in the future rather than replacing client's DB with a new one. And I thought to provide a form in the app protected by a password, and I can write a script in a textbox in the form (__For Example: Alter Proc_ ...), and Save it. Can I do this? or would that be a stupid thing to do?
Thanks in advance
You cannot. Any claim to the contrary is snake oil.
The only way to protect your application is to offer it as a service, hosted on hosts you own/control.
To find a way to prevent user from using APP+DB without my permission(for example registering using keys)
It is possible to create licensing schemes where the application runs only on the designated hardware. Your application takes the host fingerprint (eg. net MAC), uploads it to a service you host, you sign the fingerprint with a private key and provide the signature to the application, then the application validates the fingerprint signature using the embedded public key and runs the application. While this sounds doable, there is a number of ways this can and often does go wrong. Users change the fingerprint frequently (eg. hardware update). Fingerprints are difficult to enforce on virtualized environments (VMs can edit their MAC). It is very difficult to harden application code against a moderate hacker willing to attack and bypass your protection, and basically impossible to harden it against a skilled hacker.
But you have also asked about the database and tagged the question sql-server. To that part I can only double down on my previous answer: It is impossible to protect a database against being accessed and/or modified by a on-site administrator, at will. There are secure ways to audit access and modifications to the database, so you can prove tampering and act accordingly (refuse support or charge extra). But you cannot prevent it.
Ultimately what you're asking for is DRM.
so I have a bundled software that a client can download and install (using an msi on win machines).
part of this software is a mongoDB database, that stores client info, configurations, etc..
When the software is first installed, it creates an empty folder for the mongoDB, and whenever the software starts, it starts a mongod process (using C#'s Process.Start()): mongod.exe --dbpath <path> --port <port> --quiet.
My goal is to secure the mongoDB database with a username / password that will be known only to my application.
this will help prevent tampering with my client's data from the outside, as well as make it harder (but not impossible, see below) for the client themselves to tamper with the application's data.
The general idea, I guess, is that on installation (or on startup), to create a user with read / write privileges which my software will use to communicate with the database.
So My questions are:
1. How do I programmatically do this? I guess this is the right direction, but I couldn't find much info on the c# driver docs
2. How do I deal with upgrades? i.e clients who installed a previous version of the software, where the database is not secure at all; i would like to create a user with a password in that case as well.
3. how do I store the application user's credentials in my application? in a config file? but that can be read by the client. any best practices here?
versions info- (unfortunately, because of my company's issues, we're not using the latest product versions); mongoDB 2.6, mongoDB driver for .net 1.5.0.
thanks!
P.S. I have read through the security section on the mongoDB website, but wasn't able to find a simple example for the use case I'm trying to implement.. maybe I'm just missing something simple here..
This is kind of an interesting, unusual use case.
First of all, I want to make sure you're aware of the licensing/copyright implications of bundling MongoDB with your software. You should check out the license section of the mongo project GitHub page and read up on the AGPL.
Second, the easiest part of your question:
how do I store the application user's credentials in my application? in a config file? but that can be read by the client. any best practices here?
This goes beyond MongoDB. If a user owns the system that the mongod process is running on, they could just copy the data files and set up a no-auth mongod on top of your application data. You cannot reasonably stop them from doing things like that, so do not count on your application's data to be secure from the client user. Plus, if you install your application code locally, any decently smart and committed person should be able to extract the username and password from the compiled application code. You can make it hard, but not impossible.
Third,
How do I programmatically do this?
Based on what I just said, I'm taking "this" to mean
on installation (or on startup), to create a user with read / write privileges which my software will use to communicate with the database.
not the part about having it be secure from the person who owns the computer it's installed on, because that's not possible. To do this, I'd either package a mini datafile to start the mongod on top of, one that included users set up already, or include a dump that you use something like mongorestore to load into the mongod after you start it up. The first option is way simpler to implement and should not require you to have to take down and respawn the mongod process, so try that - see if you can set up a mongod with auth how you want it and then transplant user info by copying data files. FWIW, I'm pretty sure the passwords are not stored in plain text in the data files (they are salted), so you won't have that directly exposed from the data files.
Finally,
How do I deal with upgrades?
You'll have to take down their mongod, restart it with auth, use the localhost exception to create the users you need, turn off the localhost exception (optional but why not), and then end that connection and start new ones using auth. It's the same process as in the security tutorials, you just have to do it with C# driver commands. Note that moving between MongoDB versions is also tricky as the seurity model has improved over time, so you should consult the upgrade guide for extra things to do to make sure user schema gets upgraded correctly if you are moving a user from a secure 2.6 to a secure 3.0, say.
C# driver connectionstring can accept login credentials for the database.
mongodb://username:pwd#server:port/dbname
for ex
mongodb://myuser:mypassword#mydbserver:30254/mydb
The best way is to store the data in a config file. If you are worried about exposing it, it can be encrypted and stored. Other less likely option is to store in a resource file and reference that as a string.
I am newbie to the web programming. I have been working as desktop application programmer for the last 8 years. Now one of my projects is to create a web application using HTML 5 and some java script that can be live on the cloud as well as downloadable as a desktop application to work offline. I don't need any database to store any data. I am thinking of writing a C# win form application with a web browser control to load the HTML pages and the .js files.
My questions are:
Is it possible to achieve? if so, is there any other way than what I mentioned above?
What about the security concerns such as accessing the files(the html files, java script files, etc)? Whether this can be called into my application from the local hard disk?
If I can run it as a desktop application, how to make sure that the source code is not accessed by anyone in the client machine?
It's achievable, but why you would want to wrap it in a C# web browser control doesn't really make sense to me. With HTML5 you can define cache manifest files to create offline apps that run in any browser that supports it, no need to wrap it with anything as long as the client has a capable browser. They don't even have to know it's an offline app!
Not quite sure what you mean here with regards to security concerns. That's a massive topic. Just use common sense and realize that anything you store on their computers will be accessible by them (e.g. do not give them your public/private key pair or store any passwords or anything you don't want them reading in the files you're sending to them) and use a secure connection to send sensitive data back and forth between the client and your server.
You really can't prevent anyone from accessing the source code if it's on their machine. The best you can do is obfuscate it to a reasonable degree before deployment to make it harder on the person trying to read it.
I'm writing a database driven windows application and both the executable and database need to be installed on the customers machine.
Is there a database that I can use as a backend to my application that the user can't get into even though the user is using the same machine that the database is stored on.
As far as I can tell, Postgres won't work for this, and the versions of access that I have tried are easy to get the crack the passwords for.
My application has to be able be installed on a laptop and be useable even when there is no internet access, so the usual client-server database models just don't work.
I have considered using a VMWare virtual appliance with Postgres installed on some version of linux, but this would have a pretty heavy system load.
I would prefer to not have to use encripted text files or something like that.
Since users (or hackers) own the machine, there is nothing you can do to make it secure. Anything you try will fall into a category called Security Through Obsecurity.
Your best bet is to encrypt your database and try to hide the key in some obscure place in your binary. Since this is an installed application, don't use Database servers. Just use a DB library like Postgres.
How critical is the data? Encrypting data on your system using standard RSA or AES with a key stored and encrypted in your application will keep your mum and dad user away.
But if you can't keep the secret out of the client application, then you're going to have trouble here.
There's a couple of options available to you, depending on your budget.
First, I have used SQL Server Compact Edition 3.5 with a .NET program for doing a local database that was encrypted. The good news was that the file was encrypted and could only be accessed if you had the password. The bad news of course is that your password will probably be in your connect string, unless you do something like a seeded PRNG to generate up the password for you. Also, SSCE requires that it be installed independent of your application -- if for any reason the user uninstalls it through Control Panel, your application won't run.
Second, I have also used a commercial product called VistaDB, and it also supports local database files that are encrypted. There are comparison features of VistaDB versus other database engines available on their website -- but another thing they offer is that they don't have a runtime that has to be preinstalled -- you just add another assembly to your distribution (they claim you can statically link it, but I haven't tried that personally). The local file on disk is also encrypted with VistaDB, and without the password you can't access the underlying database.
Good luck!