Reputation: 1118
Security concerns in a WPF application
I am making a WPF application which will handle a lot of sensitive data like usernames, passwords, emails etc. All this data is shown in textboxes and passwordboxes in the app. When the application closes I need all the data that was in memory to be deleted just so no one can later retrieve it.
Can you tell me some guidelines or tips on what I need to pay attention to, or techniques I can use to make this project as secure as possible?
Thank you
Upvotes: 2
Views: 2103
Answers (3)
Reputation: 27382
I think you're worrying about something that's not worth worrying about.
If someone has physical access to the machine and wants to steal sensitive information, you've already lost the game.
While the usernames and passwords may not currently be in memory, the person could just install a keylogger and get it next time the application is run.
Upvotes: 3
Reputation: 8851
.Net strings are immutable and interned. Immutability renders strings unchangeable after it was created. Interning makes the CLR use one instance of a string with same content. It also makes it harder to get rid of a string.
From MSDN
.. the memory allocated for interned String objects is not likely be released until the common language runtime (CLR) terminates. The reason is that the CLR's reference to the interned String object can persist after your application, or even your application domain, terminates.
You could use SecureString but it is not very convenient as not many WPF controls support it apart from PasswordBox.
For example there are times when you have to show the user the password, but without converting the SecureString back into a normal string this is not possible. This brings back the problems we set out to mitigate.
So in my opinion WPF/C# would not be a good candidate language framework for an application with sensitive data.
Upvotes: 0
Reputation: 14794
The data won't remain in memory after the program execution has ended, but in theory it could be read while the program is running. You could try using SecureStrings: http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx
Also, the PasswordBox control already uses SecureString, so you're good on that part.
Upvotes: 4
Related Questions
- C# WPF application permissions questions
- How to authenticate a WPF application against the server?
- .net - What is the best practice for securing WPF application configuration settings?
- WPF application with Windows authentication
- Is WPF a safe choice for my application?
- Wpf User Security Strategy
- .net WPF application folder security
- Implement security in an intranet application
- Attacks on WPF applications
- WPF Skin Skinning Security Concerns