5

Is there anyway to prevent people from using Reflector.net to decompile my .exe c# application? I know there is a tons of post about this but I don't really care if people can see my code the only thing I want to "hide" is my database connection string.

I am currently using "Settings" in my c# to keep the database connection's info. I wanted to know if using those string in my project's Settings would prevent people from seeing it ?

I am using DotFuscator in visual studio 2008 but I heard it wasn't preventing people from decompiling my program.

I know I could use a Web Services but my server will be on linux so I guess I can't store web services on Linux.

Brian Driscoll
  • 19,373
  • 3
  • 46
  • 65
Kinouk
  • 103
  • 1
  • 4
  • Have a look here: http://stackoverflow.com/questions/2107036/is-it-possible-to-prevent-decompilation-of-net-msil-dll – Robert Harvey Jan 03 '12 at 20:24
  • and here: http://stackoverflow.com/questions/2478230/how-can-i-protect-my-net-assemblies-from-decompilation – Robert Harvey Jan 03 '12 at 20:25
  • please only 1 question per post. – Brian Driscoll Jan 03 '12 at 20:25
  • You can most certainly host web services (of many different kinds, I'm not sure what specifically you're picturing here) on Linux. But that's a topic for another discussion entirely. – David Jan 03 '12 at 20:28
  • I only need to hide the database connection infos... so my question is: Can people see my projects Settings' strings with Reflector.Net and other decompiling programs – Kinouk Jan 03 '12 at 20:28
  • Posting as comment because this was closed wrongly... Take a look at this guide on this specific topic from MSDN: http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx Keep in mind, however that this only *shifts* the security burned. Now you need to manage the security of the key. – Robert Levy Jan 03 '12 at 20:29
  • 2
    Don't use a direct database connection from your program unless the user is trusted to use the database directly with the same privileges. Have a service (web service, REST-service, etc) in between that you host on your own server. Linux can host services of any of those types I mentioned (use Mono if you want them in .NET on Linux). – PHeiberg Jan 03 '12 at 20:33

4 Answers4

5

No. Even if you encrypt the connection string in the program code or in a settings file, you will need to decrypt it, and the program must necessarily contain the decryption key somewhere, which means that someone who is interested enough in finding it will find it, no matter how creative you are in hiding it. Why do you need to hide the connection string? If you are afraid that someone who has your program might call the web services directly and trigger unintended actions, you should look into how the web services are structured, what they allow clients to do, and how the authorization works, and make security improvements there instead.

Aasmund Eldhuset
  • 37,289
  • 4
  • 68
  • 81
  • Well my program is going to connect to mysql database mean if people can see the database connection's info then they can connect to it and delete all data? Should I do it in Java instead of c# ? I heard Java can't be decompiled? – Kinouk Jan 03 '12 at 20:33
  • 2
    @Kinouk You are barking *completely* up the wrong tree here; *all code can be 'decompiled'* in one way or another, and you can *not* expect to hide your connection details from the end user. You need to give them their own details, instead. – Andrew Barber Jan 03 '12 at 20:37
  • ok so bassicly I should make a register page on a .php page and when user use the c# app he need to enter his infos ( validate by a server application ) – Kinouk Jan 03 '12 at 20:40
  • @Kinouk: Allowing a client-side application to connect directly to a database and execute arbitrary queries is _extremely_ dangerous unless you make sure that the database user can only access exactly the tables and columns it needs, and that the permissions make it impossible to do harmful things. This might be impossible if the application has to modify tables. (A safer possibility, though, is to use stored procedures and only allow the user to call those.) You are much better off by forcing the application to go through a web application or web service, as you describe. – Aasmund Eldhuset Jan 03 '12 at 20:51
  • (To everyone else: There are exceptions, of course, such as in controlled environments, e.g. if you are making an application that will only be used by trusted employees within a company.) – Aasmund Eldhuset Jan 03 '12 at 20:53
  • So I need lot of servers ? or only 1 server that check for new registers and stuff? – Kinouk Jan 03 '12 at 21:18
  • 1
    @Kinouk - 1 server is enough. It can be the same that is hosting the database. – PHeiberg Jan 03 '12 at 21:22
  • @Kinouk: PHeiberg is right. You just need to make sure that every user of the program gets their own username and password (or everyone can have the same username and password if everyone who uses the program shall be allowed to do the same things). It won't be a problem if the users find the username and password, because the only thing they can do with it is to use the web service, which will only allow them to do whatever they could do through the program. – Aasmund Eldhuset Jan 03 '12 at 21:45
5

If your program has the connection string in it, users of your program can get it back out. Even if you encrypt it, they can sniff it when your program connects to the DB server.

If you don't want your users to know your DB login credentials, don't give your DB login credentials to the users. That's the only way.

You could do this by instead giving each user their own credentials, and using the permissions system in the DB server to control what they can or can not do.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • Ok but how can the client communicate with the server if it doesn't contain the connections info? I'm lost lol sorry – Kinouk Jan 03 '12 at 20:34
  • 1
    The client *can't* connect to the server without connection info. That's why you should do what my last paragraph said: Give each user their own login. And actually, you should not have them logging in to your database itself - you should instead have a server application - a web service, for example - and each user has their own, unique login to it. Just like you have your own unique Stack Overflow login - they don't just give you the username and password to the database. – Andrew Barber Jan 03 '12 at 20:36
  • ok so bassicly I should make a register page on a .php page and when user use the c# app he need to enter his infos ( validate by a server application ) – Kinouk Jan 03 '12 at 20:39
0

Take a look at this guide on this specific topic from MSDN. Keep in mind, however that this only shifts the security burned. Now you need to manage the security of the key

PHeiberg
  • 29,411
  • 6
  • 59
  • 81
Robert Levy
  • 28,747
  • 6
  • 62
  • 94
0

As others have stated obfuscation is no real protection for a connection string stored in a client application where the user have access to the binaries.

Don't use a direct database connection from your program unless the user is trusted to use the database directly with the same privileges. Have a service (web service, REST-service, etc) in between that you host on your own server. Linux can host services of any of those types I mentioned (use Mono if you want them in .NET on Linux)

In order to expose your database via a web service using Mono or any other language/framework you can host on Linux you would create a web service method for each atomic operation you want to perform against the database.

An additional advantage over letting the client application access the database directly is that when the client application is using a service between itself and the database you are free to change your data store without affecting the client. You can decide to change the database schema in your database or replace the database with a NOSQL solution or even a flat file.

Having a service instead of communicating directly with the database moves the authentication/authorization requirement one step, so now you need to implement it in the service. Fortunately there is rich support for authentication in a web service.

PHeiberg
  • 29,411
  • 6
  • 59
  • 81