3

I have embedded web browser control in WinForms app. The user makes some actions on site that doesn't belong to me. At the end (eg. on last page) I need to send confirmation to my server (eg. via web service), that user really did what he was supposed to do.

Right now the application is gathering some data during that process and after making some odd stuff with that (ie. security through obscurity) it sends information to my server. The message that is send from app to server is obscured and the application is written in C++, so it's not that easy to decompile it and check what is really send. Additionally user who possible crack the code has opportunity to earn very little amount of money and it's easy to track him. That situation has never occured.

The source code became unmaintanable and I would like to rewrite it using C#. The problem is pretty obvious: even obfuscated code is lot easier to crack than old native C++ binary.

Do you see any "secure" way out? Is there a possibility to get something like digital signature of page that is on web browser control (https connection only)? I don't have any idea how to do that other than taking user credentials of the external page and making actions on server side on his behalf which would be totally unacceptable.

Aly
  • 31
  • 1
  • Why would anybody go through the trouble of decompiling code? Just snoop on the network traffic. – Hans Passant Jun 29 '11 at 17:04
  • Yes, you're right - it's a lot easier to monitor network traffic and crack it, but for now it would be pain to guess how "odd stuff" in the code is creating final message and what is the exact input. It's obscured with some dummy methods and some encryption, that is of course inside the code. It would be a lot easier to decompile the .Net assembly than decompiling C++ binary or trying to crack network traffic. – Aly Jun 30 '11 at 06:11
  • 1
    Can you explain the situation a bit more? What's the user doing? – Rob P. Jun 30 '11 at 16:21
  • You want a way to secure the communication channel between the app and your sever? – ALOToverflow Jun 30 '11 at 16:23
  • I want to be able to do one of following things: obscure my .Net binary to have similar strenght of obfuscation/difficulty for cracker as it is in native C++ binary (which is probably impossible) OR without obfuscation have a way to be sure on server side, that data gathered from WB control weren't somehow changed. The latter - let's imagine user went on http**s**://site.com and my app sends the html source of it to my server with signature from site.com so I'm sure, that user didn't changed it, but AFAIK there is no such a thing and SSL works totally different and I would have to be MITM. – Aly Jul 01 '11 at 07:06

1 Answers1

1

Your question doesn't tell us the scope on how the users get the WinForms app, etc. But I would say that the only "foolproof" way would be to host this logic and code on you own controllable premises. So here's my two (expensive, but doable) suggestions: Publish this application as either:

Again, probably overkill in terms of investments and infrastructure (depending of how widespread this thing is), but nevertheless pretty appealing from a technical point of view since it wold be impossible for any eavesdropping on what kind of data and where you send this information.

Magnus Johansson
  • 28,010
  • 19
  • 106
  • 164
  • Thank you for your insight. I've never heard about RemoteApp or something similar. Of course I've heard about RDS. This is feasible solution, but requirements are high and user experience could be very unpleasant due to high network traffic. – Aly Jul 01 '11 at 06:57