0

We have a couple places in our app (Xamarin C# cross-platform) where we deal with sensitive information - so we've password-protected the database (SQLCipher) and we encrypt the data we store outside of the database. However, I'm thinking that it wouldn't be difficult for a determined hacker to inject a DLL between our app and the database DLL and see the password going by in the Connect() function, and likewise to inject a DLL between our app and whichever system DLL provides System.Security.Cryptography and see our AES key going by.

Is there a way to protect against this? Or am I incorrect and this isn't actually a big security risk?

Betty Crokker
  • 3,001
  • 6
  • 34
  • 68
  • the app package is signed, you can't dynamically change code without breaking the signature. I think the security risk is pretty low, but you have to evaluate that based on your client's tolerance, etc. – Jason Oct 10 '17 at 14:55
  • 2
    Raymond Chen calls this "being on the other side of the airtight hatch". When somebody has sufficient rights to copy a malicious DLL into the install folder and induce your program to load it then he won't bother doing it the hard way. He'll simple replace your program. – Hans Passant Oct 10 '17 at 15:00

1 Answers1

0

I believe, that the all what you need is to sign your assemblies "C#: why sign an assembly?".

Aliaksei Futryn
  • 461
  • 5
  • 8