Password storage in code. How to make it safe?

Question

I have made an application in C# that sends mail and SMS ( SMS via an API). It works perfectly, but my concern is that someone will decompile my application, which has the credentials to both the sending emailaccount and the API. The API works with

private void sendSMS(String username, String password, String destination, String body, String sender)
{
    String browserURL = "http://api.messagebird.com/api/sms?username=" 
        + username + "&password=" + password + "&destination=" 
        + destination + "&body=" + body + "&sender=" + sender;
    _w.Navigate(browserURL);
}

Just by decompiling or using wireshark the "hacker" can send SMS as he desires, while the application is designed to send him an SMS on special events like a security breach in his house. also I don't want the hacker be able to change the E-mail's password, so other users don't get their email anymore.
How can I prevent this?

The code is designed to run on the customers own computer/server and alert him for example if there was motion detection.

I thank you all for you answers. I choose to let the customer fill in their own credentials for mail and SMS services, just to avoid having a security breach.

Answer 1

The safest way to protect your password is simply to not store it all, at least locally.

As soon as you store anything client-side the safety of the data is only as strong as the safety of the hardware it's sitting on. For example, if someone were to install your app on a public machine (e.g. internet cafe) anyone who knows what they are doing has the potential to get access to your password. It's less of a problem if you can be sure that the app is only going to be installed on private machines and only used by "good" users (which, ultimately, you can't).

How secure you need this password to be is really down to you. The questions you really need to ask yourself are

• What sort of damage could be done if they did manage to get the password?
• What measures do I have in place to detect any sort of misuse? (e.g. IP logging etc.)
• What procedures do I have in place if someone was misusing the API? (e.g. password change)

The 3rd point poses a few problems when storing the password locally. If you detected misuse of the API and consequently changed the password, how can you cascade those changes down to the clients?

For me, the safest way to avoid all these issues is to have your app query your API server and have it return some sort of authentication token (aka API token). This token would then be passed along with any request back to your (hopefully, secure) server which validates the token and, if authorised, forwards the SMS request onto the SMS server.

Answer 2

Consider using System.Security.Cryptography.ProtectedData

This class provides access to the Data Protection API (DPAPI) available in Microsoft Windows 2000 and later operating systems. This is a service that is provided by the operating system and does not require additional libraries. It provides protection using the user or machine credentials to encrypt or decrypt data.

The class consists of two wrappers for the unmanaged DPAPI, Protect and Unprotect. These two methods can be used to encrypt and decrypt data such as passwords, keys, and connection strings.

http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx

Answer 3

Do not put secrets in code. Put them in an encrypted, safe place, on disk and read it when needed.

Obfuscation is exactly what it says: it hides rather than it protects.

Also: do not send credentials unencrypted over the internet.