How to secure my connection string inside .dll file

Question

I made an application (windows app) using visual studio. This app contains my some sensitive data such as connection string etc. When i published my app i got some .exe and .dll file. But when i open these .dll and .exe file in dotpeek and other .net decompiler, they return result as same as i programmed. If i distribute my app as publicly, anyone can decompile my app and read or understand my code or decryption key. I want to know that, is any safe way to prevent this? Thanks in advance. Sorry for my english..

Answer 1

The simple answer is you can't. Even if you obfuscated it (which is usually easily undoable) the connection string will end up clear on the wire and can be sniffed. The issue isn't hiding the connection string, it's getting rid of it, if it's a (as i expect) database connection string to your server, that should never happen, an untrusted application that you give publicly should never be able to connect to your SQL server, it should call a web service with well defined methods that do only what the application is supposed to do and that has some form of authentication built in to limit those calls to those allowed for the individual.

Basically, if your application is shipped publicly and connects diretly to your database server, it's pretty much like giving everyone direct rights to read/write in your database at the same privilege level as your application because grabbing the credentials will be trivial and no decompiling is required, just sniffing the connection information and looking at what the application sends. You need to rethink your architecture.