Encrypt connection connection string or password (sqlserver CE + app windows phone)

Question

which would be the best way to encrypt the connection string for SQL SErver CE (Local Database) or the password-connection for a windows phone app? because if you have it in plain text, example:

"Data Source='isostore:/database.sdf';Password='mypassword';"

is vulnerable if anyone decompiles your app.

But if I have the encrypted password in a file (stored in isolatedstorage) may also be vulnerable if someone decompiles the app because he can see the code to decrypt.

Another way would be encrypt with a key that is not stored. The problem is that I dont want that the user enter each time the pin or password to access.....and if he forgets his pin or key can not access your private data.

The data contained in the database are of basic type (contacts, tasks, ...). Data are not high risk or condifential...

Any idea?

Answer 1

The only way to not have a password on the phone (even in an obfuscated form) is to retrieve this from a remote/web server when first needed and then store on the device use the ProtectedData class.

Answer 2

There is always a security risk if you have got sensitive data stored locally on the phone, there are a few ways to mitigate this.

i) Use the built in ProtectedData.Protect which is built into the phone, with no additional entropy data - this would encrypt the data, and the user would not need to enter anything

ii) again use ProtectedData.Protect but get the user to enter a password and use that as the additional entropy value, but as you say if they forget the password you cannot get the data back

iii) Store the data in a cloud based service and get the app to retrieve the details as required.

Hope this helps.

Answer 3

This recent question contains lots of helpful suggestions - How can I securely embed a static string (key) in C#?

However, for accessing a local database, then I'm not sure you need this security at all - I think the WP7 sandbox will keep your database safe from other apps.