Reputation: 585
Adding some basic layer of security to the app.config file in WPF
Lately I've been a bit concerned with the security of my WPF app. I'm just starting out so security hasn't been my main focus but now I'm a bit worried that someone might open the .exe.config file in the Programs folder and use the credentials there. The people using this basic CRUD app wouldn't probably know what to do with it even if they get to it but I don't want to take any chances.
I am just looking for the easiest way to hide it somehow, either by using an external config file or encrypt it. I've tried every possible answer on stackoverflow but I just could find a straightforward way of doing it.
Here's what I what my app.config file looks like:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c666935e080" requirePermission="false" />
</configSections>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
</startup>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
<parameters>
<parameter value="mssqllocaldb" />
</parameters>
</defaultConnectionFactory>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
</providers>
</entityFramework>
<connectionStrings>
<add name="DailyEntities" connectionString="metadata=res://*/Model.MyModel.csdl|res://*/Model.MyModel.ssdl|res://*/Model.MyModel.msl;provider=System.Data.SqlClient;provider connection string="data source=xx.xxx.xx.xx,port;initial catalog=MyDB;user id=testsubject;password=password;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
</connectionStrings>
</configuration>
Here's what I have already tried: Protect App.Config file or Encrypt
The problem that I have with this is that it encrypts the file and it works great on my machine but I cannot deploy in on another machine.
Can someone help with some simple, dumbed-down advice/example? I don't want to use Windows Authentication or write a whole lot of code just to achieve this. Just something to make it a little harder to get the credentials.
Upvotes: 3
Views: 1774
Answers (1)
Reputation: 2243
The short answer: you can't - nothing you put in your WPF code can ever be secure.
Sure, you could take steps like encoding the values in the config file, and then having your code decrypt them. Problem is, a potential attacker could simply dump your app into a decompiler (like DotPeek) and see exactly what your decryption method is. Basically, the only people that it'll stop are the ones that are least dangerous to have breaking into your system.
Generally, you want to put a layer between the app and the DB, so that an attacker disassembling your WPF app doesn't have a raw connection to the database. That way, instead of an attacker having a portal directly into the database, they've simply got the address of a WebService. Worst case, they start try calling WebService ABC themselves - but that's a heck of a lot better than them having straight DB access.
Upvotes: 4
Related Questions
- how to secure app.config, while it is intended to be used on several machines?
- .net - What is the best practice for securing WPF application configuration settings?
- Protecting Section in App.config file Console Application
- Protect central app.config
- How to encrypt app.config?
- Encrypt connection string in NON ASP.Net applications
- How to protect the connection string password in a WPF project?
- App.Config Security in WPF
- How to encrypt config file ? desktop .NET
- ConnectionStrings in app.config. What about security?