2

I'm creating a windows form app and the underlying code needs to be secure. In the code is database information and many equations which people should not be able to see.

What I'm asking is if I install the app on someone's computer, how easy is it for them to "break" into the application and view this sensitive information? If it's not difficult for them to find the code, are there ways to prevent this from happening? I would appreciate any input.

Jens
  • 6,275
  • 2
  • 25
  • 51
user3166937
  • 23
  • 4
  • it is not difficult to crack open a NET app and get an idea of the code implemented. to make it harder, obfuscate the assembly (NET comes with Dotfuscator), to make it harder, buy a package that isnt scaled down. – Ňɏssa Pøngjǣrdenlarp Jun 26 '14 at 19:30

2 Answers2

3

It's very easy to view code. Tools like ILSpy or .NET Reflector can practically show your code as you have written it in C# or VB.NET.

There are some possibilities, some free or cheap, some will cost you:

  1. Obfuscation: This replaces names and sometimes logic in your excutable with other code that is hardly human readable. This is easy to do and there are tools like Confuser that do a good job, but the code is still there and can be read. It's only slowing attackers down.

  2. Another option that I have evaluated myself is using hardware protection in the form of Dongles. Here the whole application is encrypted with a secret key that is stored on a smartcard. Portions of the code that are needed are decrypted on the fly at runtime and executed. Since the code is encrypted you can't read it easily. Solutions like Codemeter are pretty hard to beat (there are no real cracks for these if implemented correctly, which isn't hard. But this is not for free.

You always need to have the scope of your protection in mind. Who do you want to keep from getting your code?
The average guy who also has used .NET some times and knows how to google and download ILSpy? Obfuscate it mildly and he will be annoyed enough to leave it be.
Some other people who really know what they are doing but still without financial interest? Use some more drastic obfuscation like code restructuring and so on and they will probably not invest weeks of their time to just finding some formulas.
Some other company who is willing to put in the financial ressources and the knowhow of talented people to get your code to make a profit? Obfuscation will not help you. Maybe encryption will, maybe not.

We went with the Dongle solution since we also want to manage licensing in an easy way for the customers (of which most have very restricted online capabilities), while the code protection is a very nice additional feature.

Jens
  • 6,275
  • 2
  • 25
  • 51
  • How difficult is it to implement the dongle solution? Looking up codemeter, I see it involves usb sticks that I assume hold the secret key. Does that mean you need one of those sticks for each computer the application is running on? The obfuscation solution sounds like it would work as long as the application stayed internally inside the company, but it would still be possible for someone to copy the application and give it to a competitor so I don't believe that will fully work. – user3166937 Jun 26 '14 at 19:58
  • The codemeter stuff is very easy to use actually. They ship an application that let's you protect your compiled assembly with an easy wizard. No coding on your part is required. Every customer gets a USB Dongle. They can either plug it into the PC they want to use the program on or they can even use a central PC in their local network as a server and other PCs occupy licenses on the Dongle over the network (you can configure how many they get). It's very flexible. To allow someone else to run the software they need to have the Dongle. You can't easily copy it, it's no USB Stick. – Jens Jun 26 '14 at 20:01
  • They also offer quite an extensive demo package for you to try, I can recommend that ;-) I'm not associated with them by the way, but since I use their solution I can report on it ;) – Jens Jun 26 '14 at 20:02
0

You can use two-way cryptography before storing the information on the database. This question's answer has an explanation of how to do that very simply: Simple insecure two-way "obfuscation" for C#

About the equations, if they're hardcode in your app, and you don't deliver the source code of the app, the only way to retrieve it is using disassembly, wich, even with very simple tools, you have to be "computer savy" to do it.

Community
  • 1
  • 1
Guilherme Lofrano Corneto
  • 385
  • 5
  • 20
  • 2
    The latter is not true in a .NET environment. The code is not translated into machine language but into CIL (Common Intermediate Language) that can be quite fully reversed into the original source code. – Jens Jun 26 '14 at 19:43