1

Okay so i have this C# application that connects to a database has the login and all that stuff but what if some guy just downloaded a decompiler saw my code got the connection string from my DB and did whatever he felt like? How can i protect myself from that? And even if i could protect my connection string how could i protect my acctual code?

The Reptilian Army
  • 478
  • 6
  • 13
  • 1
    Possible duplicate of [Obfuscation in Xamarin Projects](http://stackoverflow.com/questions/36423030/obfuscation-in-xamarin-projects) – SushiHangover Apr 28 '16 at 08:39
  • 1
    You can't. Really. If the computer can execute it, then the computer can interpret it correctly, and thus, so can people, with the right tools. – Nyerguds Apr 28 '16 at 08:40
  • Read the linked duplicate.... – SushiHangover Apr 28 '16 at 08:42
  • Well then why program in .net at all? And why hasen't Microsoft taken care of this problem? – The Reptilian Army Apr 28 '16 at 08:42
  • Because... it's not a problem? It's just how things work? The only way to truly 'fix' this is to mess it up so badly the computer can't execute it either. Hardly a solution. – Nyerguds Apr 28 '16 at 08:43
  • 1
    Or pay some offshore company to write the code. It will so shocklingly poor that no-one would be able to read it even without obfuscation – ChrisBint Apr 28 '16 at 08:44
  • Well, you can go and invest in the development of heavy DRM then like game companies do, but look at how fast even those games get cracked. As for your database, that seems more of a security issue than a coding issue. Good security can't be hacked even if you have all the information on how it works. – Nyerguds Apr 28 '16 at 12:04
  • Also, it is completely unrelated to .net; this is exactly the same in any programming language. Open source, closed source... the bytes all look the same. They _have_ to, or your computer can't read them. A framework like .net or Java puts a layer in between that, yes, but _its purpose was never to obfuscate your code_. – Nyerguds Apr 28 '16 at 12:06
  • @Nyerguds Don't think it works exactly like that because if you try to decompile an application like spotify it won't work or even decompile a game for example. – The Reptilian Army Apr 28 '16 at 13:39
  • @TheReptilianArmy That's just because you know little about it. The most common way to do it is actually disassembly, not decompilation. Basically you can _always_ retrieve the actual way the program processes things, _and_ all bare text it uses, like your connection string. What you do usually lose are function and variable names, since those lose their meaning anyway once it's byte code. Unless the program is compiled in Debug mode, that is; then it usually still contains all that so it can be comfortably linked back to the code. This same info allows crash messages to give you line numbers. – Nyerguds Apr 28 '16 at 13:46
  • @Nyerguds okay how exactly would you do that then, how would you get the code off an app thats running in your pc? – The Reptilian Army Apr 28 '16 at 13:54
  • Depends on what it's compiled in, but for C++ applications I use IDA. You mentioned "decompile a game", but as I said, the companies involved in games often invest in costly DRM systems to encrypt their final executables, and they only get decrypted in runtime. And even those are hackable, if you bother to research into how they get encrypted, though I have no experience with that kind of advanced stuff. Anyway, in your case, I'm fairly sure Manfred Radlwimmer's answer is correct: you should just use a web service to connect to the DB, not give the program full database access. – Nyerguds Apr 28 '16 at 14:25
  • @Nyerguds Alright thanks alot for the info. – The Reptilian Army Apr 28 '16 at 14:30
  • Your case aside, decompilation is a hard and messy business. It's equivalent to trying to make a map of a city without street name plaques by chasing around buses of which you only more or less know the routes they'll follow. As I said; you lose all function names and variables. I spent 2 years digging into the disassembled byte code of a game from 1995 in order to make some much-needed fan bug fixes on it. So I'm quite familiar with both the concept of decompilation, and how hard it can be. – Nyerguds Apr 28 '16 at 14:34
  • +I figure this is an interesting conversation (even if some responses _aren't [nice](https://stackoverflow.com/help/be-nice)_ or far from [PC](https://en.wikipedia.org/wiki/Political_correctness), and even if the question's missing [mcve])... – ashleedawg Jan 02 '18 at 10:02

4 Answers4

2

You should never store critical information in your assemblies, exactly for this reason. There are numerous ways to obfuscate the information but they only delay the inevitable.

Remember: Security by obscurity is not safe

  • Access the data on a server-side application and pass it to an authenticated client instead.
  • Restrict the Database User Account to the minimal required rights (if you only need to read information - make sure it doesn't have write access, etc.)
Manfred Radlwimmer
  • 13,257
  • 13
  • 53
  • 62
  • This. From what the question says it seems to be a desktop app connecting straight into an offsite database. That's just terribly insecure on its own; the database should use a service that only supports calls for the exact actions the application is allowed to do. – Nyerguds Apr 28 '16 at 13:50
1

but what if some guy just downloaded a decompiler saw my code got the connection string from my DB and did whatever he felt like? How can i protect myself from that?

That's a shame, isn't it ? There are only a few things you can do for that :

  • Use a VPS ($$) and store the login part of your code online. You can, for that secificly, use LiteCode, and here is a tutorial : https://github.com/debug-hf/LiteCode-Example/
  • Use an obfuscator to avoid decompilers and hackers to look at your code. The best so far is http://netguard.io . It includes free plans and all the premium plans are fully secured. All your strings are scrambled, melted, stored secretly in the file. Famous deobfuscator, such a De4Dot cannot handle it even if it handles more or less every obfuscators on the market !

Hope it helps :) Cheers

XenocodeRCE
  • 69
  • 3
0

Connection strings can be encrypted in the config file

Connection Strings and Configuration Files

However, you cannot truly protect your code from people wishing to view what it does, you can only make it harder by obfuscation.

I would add that a proper security model could restrict access to both the physical files, and the database 'data', but that does depend on your deployment model.

ChrisBint
  • 12,773
  • 6
  • 40
  • 62
-2

You should store your connection string in your app.config or web.config file.

Jordi Ruiz
  • 487
  • 2
  • 11