Reputation: 684
How can I make a public static class "secure"?
I'm looking to create a secure wrapper for a public class with public static methods, so let's say the class is very simply:
public class MyClass {
public static int Add (int first, int second)
{
return first + second;
}
}
I want to have a client needing to access this via some secure other class that will call MyClass. At the end of the day I'm expecting to have all this code in a single dll for clients to use. The intention is to have some behaviour like:
public class SecureMyClassWrapper
{
bool _isUnlocked;
private static readonly List<string> validIds = new List<string>(){"only me", "and them"};
public SecureMyClassWrapper(string id)
{
if (validIds.Contains(id))
{
_isUnlocked = true;
}
else
{
_isUnlocked = false;
}
}
public int Add(int first, int second)
{
if (_isUnlocked)
{
return MyClass.Add(first, second);
}
else
{
// throw security exception etc.
}
}
}
There's a fair possibility that someone with more hacking ability than me is going to want to get at my static methods, so please can somebody suggest why this might be a bad approach or what I should be concerned about here? Some ideas would be that
MyClassmethods can easily be called through reflection- somebody could ildasm.exe code, change the list of
validIdsor_isUnlockedlogic (or even their values at runtime?) - possible to read a valid ID and then use it as their own
How could I guard against reflection or decompilation in these cases? Is there a standard approach for this you would recommend, e.g. Code Access Security?
Upvotes: 0
Views: 828
Answers (2)
Reputation: 2142
The only way to protect your .Net code is to use an Obfuscator. However it only does so much so it is still crack-able. Even non-.Net code is easy to crack, to have its heaps and stacks altered etc. usually for the purpose of bypassing electronic registration process with commercial software.
If you're dealing with some very sensitive code you can always put it on a cloud server but of course that implies monthly costs. In that case you may also want secured traffic (https) which is just as costly.
Ultimately, you would have to do a cost vs. benefits consideration when dealing with your code's security. It is always best practice to write your code in such a way that it can be open-source and still not compromise your users security or data.
Upvotes: 0
Reputation: 582
Host the code you want to protect in a service run on another machine. And expose the api with a Interface.
Upvotes: 1
Related Questions
- private static and private methods dilemma
- Protected Static Method Visibility
- Why would you not use static methods for all private methods?
- Make classes accessible only by static object
- C# Possible method to call protected non-static methods in current class?
- How can I avoid accessing private members of a class using Reflection?
- Private static methods. Generally good idea?
- How can static constructors be made non-private?
- Restricting access for static class
- static method with private methods within it [C#]