0

I'm making a uploading program, though its just come to my thought of .exe .net decompliers. I want to know is it safe to put my FTP details in my program?

user3523090
  • 13
  • 6
  • 1
    I assume you mean hardcoded login information? Nope, that's not safe, anyone who pulls your EXE apart can find it. Is it possible for you to allow anonymous access instead, or prompt your user for login credentials? – cf- Apr 12 '14 at 10:34
  • @computerfreaker No its not possible im afraid :L. I just downloaded a few decompliers and they dont show it.. so i'm unsure. – user3523090 Apr 12 '14 at 10:38
  • Regardless of what your decompilers show, the information will be there. There are numerous tools that can show strings inside a given EXE, and even if you hide the credentials well, anyone running your program via a disassembler such as OllyDbg or Ida Pro will be able to find the point where you login and see the login details. – cf- Apr 12 '14 at 10:41
  • The code is "wc.UploadData("ftp://USERNAME:PASSWORD@URL.COM" + sb.ToString() + ".png", ms.ToArray())" How can I make this.. safe? So like other programs such as screen caputuring or dropbox as example. – user3523090 Apr 12 '14 at 10:44
  • Change the password, now! :) – Tomas Pastircak Apr 12 '14 at 10:45
  • @TomasPastircak Obviously fake details.. :) But removed just incase there is that 'one' person who tries – user3523090 Apr 12 '14 at 10:47
  • http://stackoverflow.com/questions/926172/how-to-hide-strings-in-a-exe-or-a-dll – Sam Makin Apr 12 '14 at 11:11
  • http://msdn.microsoft.com/en-us/magazine/cc164054.aspx – Sam Makin Apr 12 '14 at 11:12
  • You should be able to store password securely in app.config. See this http://stackoverflow.com/questions/10606892/how-to-securely-store-a-connection-string – Victor Zakharov Apr 12 '14 at 13:29

1 Answers1

0

Depending on how you use the program. If it is only for you, then this should be OK, but I won't recommend doing it if you distribute the app somewhere.

Simplest way to see the strings in the program is using strings command on Linux or its equivalent on Windows - described here. This will show you the strings that are present in the file, and may be even simpler than obfuscating the code.

If you are going to distribute the app, I would suggest either:

  • Adding some configuring section, where the user himself enters the credentials, or
  • Permission the FTP to anonymous login correctly and let the users log in with anonymous login. It will have the same security strenght as adding the password to the file. This may be useful for just downloading the data, but won't really work for uploads, as anyone would be able to fill your FTP with any data. For that, you'll have to use the first way.
Community
  • 1
  • 1
Tomas Pastircak
  • 2,867
  • 16
  • 28
  • "wc.UploadData("ftp://FTPUSERNAME:FTPASSWORD@my-site.com/pic/uploads/" + sb.ToString() + ".png", ms.ToArray())" this is what I am using. Safe? – user3523090 Apr 12 '14 at 10:43
  • No, not really. Preferred way for that will be user-specific credentials, as this means anyone can upload any file to your FTP and possibly fill it with mess. – Tomas Pastircak Apr 12 '14 at 10:44
  • thats the point. I want anyone to be able to upload files.. But without the actuall details for a FTP client they wont be able to touch. – user3523090 Apr 12 '14 at 10:49
  • @user3523090 As I said, it will work, but means that anyone (and I mean literally anyone) can upload anything. If you don't mind that it will happen, it's OK, but expect your FTP to be filled with data. Unfortunately you can't really avoid that without user specific permissions. Plus, be aware that you won't be even able to change the password without directly affecting the users. – Tomas Pastircak Apr 12 '14 at 10:54
  • 2
    Mainly by user specific logins and workspaces (I assume you need to create an account, fill some captcha, it sends some email to you showing your details, you need to confirm the login by clicking on a link), possibly IP address limitations ( Only xxx MB per IP address - that would be rather difficult to implement, but is not impossible) and a really huge space to store the data. – Tomas Pastircak Apr 12 '14 at 11:01