Reputation:
How can I hide the details within my .NET executable?
If I have a simple CRUD app executable in .NET, what prevents a user from loading it into RedGate Reflector and viewing all the contents, including db connection strings, passwords, etc?
Can I protect against this in any way?
Upvotes: 1
Views: 882
Answers (7)
Reputation: 11
You can put your passwords and connection strings in an hashtable or xml then encrypt your data, make an zip file with a password hidden in text file hidden with stenography behind an image. All your unzip and reading make in memory after making a read make a release, flush of memory, call the collector, after using your connection strings and fill clean your variables. Keep only the data you need in memory, be careful in using ram.
Upvotes: 1
Reputation: 11489
Obfuscation is never the right answer. Maybe you're going about this the wrong way.
There are several ways I can think of so that the connection string is either not available or not important.
You could put your database behind a web service so that the connection string to the database would only be known to the web service. Of course, you'd need another way to restrict access to the web service, such as using login credentials.
Or, you could give each user their own SQL login name/password. That way, they would know their own userid/password but it would be easy to "turn it off" from the database. This also gives you much better control over each person's access to the database itself... like what tables/views they have access to, and what type of access.
Upvotes: 2
Reputation: 432180
It depends what you want to protect.
If it's DB connection string with passwords, then don't store them, Example: set up IIS App Pool to run a limited service account to connect to the database and the trusted security. Assuming decent database security, knowledge of servername etc is useless.
Upvotes: 1
Reputation: 56083
including db connection strings, passwords
Define security in the database engine: limit users, limit machines from which users can connect, limit what users can do, and/or specify that users may interact with the database only via defined "stored procedures".
Upvotes: 1
Reputation: 351466
No, the best you can do is obfuscate the assembly to make it harder to read and understand but other than that there is not way to stop someone from using Reflector or ILDASM to view the IL in your assembly.
Remember that the CLR needs to be able to read this assembly as well so if the CLR can read the assembly, so can anyone else.
Upvotes: 3
Reputation: 2894
You can make it hard to do so (obfuscation, string encryption, etc.) but it will never be impossible to reverse-engineer as long as the user has access to the executable.
Upvotes: 1
Reputation: 32900
Obfuscation would be an option. But I guess you cannot hide e.g. password strings completely. That's really unsafe.
Upvotes: 0
Related Questions
- How to remove private information while creating an executable/DLL file with Visual Studio?
- Hiding private details from open source projects
- Hide c# windows application source code
- How to hide important string variable values in exe
- Hiding a property (C#)
- How to keep .NET program logic (reasonably) secret?
- Hiding information of Application in C# from Disassembler
- Hiding Important Data
- How to hide the plumbings of program.cs
- C# and Data Hiding