Results 1 to 7 of 7

Thread: Hiding / Avoiding Hardcoded String

  1. #1

    Thread Starter
    Lively Member kshadow22's Avatar
    Join Date
    Dec 2014
    Location
    Kentucky
    Posts
    95

    Question Hiding / Avoiding Hardcoded String

    Currently I am working on a form that where a user creates a profile and such. However, some of the data has to be protected as it can be sensitive to the end user. My program uses an encryption (3DES) that uses plain text as a wrapper or cipher.

    vb.net Code:
    1. Dim wrapper As New Simple3Des("OBIVOUS PASSWORD WHEN DECOMPILED")
    2.     Dim cipherText As String = wrapper.EncryptData("information to be encrypted")

    It doesn't take long at all to decompile any .NET application and there are many obfuscating tools available out there to help protect your application from being decompiled easily, or at the least bit- makes it difficult for the end user to comprehend your application solution. I've researched a lot of the tools available for obfuscating code, along with encrypting "plain in sight" strings, but only premium and intensive software have the functionality to give the protection I need to hide this string- which, realistically is the only thing I need.

    I read a few forum posts from other people inquiring about the same problem, and they were all referred to creating a DLL with the information stored within the file, and retrieving the information from the DLL file. However, I am not sure how secure that really is, AND if it is, how to really do it efficiently. In one way or another, I need to store this wrapper string without it being easily seen or noticed by opposing some sort of challenge. I have looked into the SecureString Class and have found that it would prevent my string from being placed into memory, but will not hide my string from the case of being decompiled / debugged. I read online that you if you had a web.configuration, that you could encrypt the configuration, but this will not work because it is not a web application, it is an app configuration. There is a work around for this, but I will not being using the application / user settings within the project. Everything is stored in a local file in the application directory.

    I feel that I have done extensive research on this topic and am still lost on how I can hide or avoid this string in one way or another. Any pointers, tips, or advice would be greatly appreciated. I wanted you guys to realize the extent in how much effort I am willing to put into this to get this covered up. I feel this places a huge vulnerability in my program.

    Thanks you guys!

  2. #2
    Fanatic Member
    Join Date
    Jun 2019
    Posts
    557

    Re: Hiding / Avoiding Hardcoded String

    When the application that decrypt the information runs on clients machine, the short answer is no, it is not possible to protect it. Via the "security through obscurity" methods you can make it harder to find the encryption keys but it will be mostly waste of time.

    Just make encryption keys not just strings but array of bytes and use the full range of byte values from 0 to 255 so they cannot be seen so easy as strings. Example key:
    VB.NET Code:
    1. Dim key As Byte() = {104, 145, 0, 150, 178, 182, 68, 247, 21, 205, 121, 112, 235, 60, 237, 114}

    To make it harder (still via security through obscurity) to obtain the keys by just copying from the decompiled app, you can change the order of bytes used in the real key, e.g. exchange values at different indexes - key(0) and key(15), key(1) and key(7), key(2) and key(10), etc. Also create multiple routines to do that, add some useless math when calculating indexes which will make the decompiled code really long and will take time for someone to understand it.

    In general create as much spaghetti code to make it harder to read.

    But still all that "protection" (when the EXE and DLLs are on client machine) is just waste of time.

  3. #3

    Thread Starter
    Lively Member kshadow22's Avatar
    Join Date
    Dec 2014
    Location
    Kentucky
    Posts
    95

    Re: Hiding / Avoiding Hardcoded String

    Quote Originally Posted by peterst View Post
    When the application that decrypt the information runs on clients machine, the short answer is no, it is not possible to protect it. Via the "security through obscurity" methods you can make it harder to find the encryption keys but it will be mostly waste of time.

    Just make encryption keys not just strings but array of bytes and use the full range of byte values from 0 to 255 so they cannot be seen so easy as strings. Example key:
    VB.NET Code:
    1. Dim key As Byte() = {104, 145, 0, 150, 178, 182, 68, 247, 21, 205, 121, 112, 235, 60, 237, 114}

    To make it harder (still via security through obscurity) to obtain the keys by just copying from the decompiled app, you can change the order of bytes used in the real key, e.g. exchange values at different indexes - key(0) and key(15), key(1) and key(7), key(2) and key(10), etc. Also create multiple routines to do that, add some useless math when calculating indexes which will make the decompiled code really long and will take time for someone to understand it.

    In general create as much spaghetti code to make it harder to read.

    But still all that "protection" (when the EXE and DLLs are on client machine) is just waste of time.
    Hmmm, very interesting. That is what I will do. Thank you for your response.

    I have not had experience encrypting data with the use of "Byte" as my data type. I will look more into that and see what I can learn.

    Typically, aside from encrypting data or the solution I am implementing, is there anymore secure way of storing user information?

  4. #4
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: Hiding / Avoiding Hardcoded String

    At some point, all security fails. You have to decide what you can live with. If you can work through a server, then you can store the data on a server, and only offer up what the client wants to see. However, if a person has full access to your server, then securing something from them becomes nearly impossible. For a program installed on a client computer, there are also limits to how secure you can make the data. You can certainly encrypt the data, but the code and the key for doing that encrypting/decrypting is going to be part of your program, so it is there on the client computer as part of the program. Can somebody tear apart the program to see how the encryption is being done and decrypt it? Certainly, with some amount of effort. All encryption strategies, at that point, are all about making it too difficult for a person with a certain amount of skill and motivation, but with the expectation that a sufficiently motivated person can still crack the encryption because they'll have the program that does the encryption.

    So, you're always needing to think about who it is you are protecting the data from when thinking about how to secure the data.
    My usual boring signature: Nothing

  5. #5

    Thread Starter
    Lively Member kshadow22's Avatar
    Join Date
    Dec 2014
    Location
    Kentucky
    Posts
    95

    Re: Hiding / Avoiding Hardcoded String

    Quote Originally Posted by Shaggy Hiker View Post
    At some point, all security fails. You have to decide what you can live with. If you can work through a server, then you can store the data on a server, and only offer up what the client wants to see. However, if a person has full access to your server, then securing something from them becomes nearly impossible. For a program installed on a client computer, there are also limits to how secure you can make the data. You can certainly encrypt the data, but the code and the key for doing that encrypting/decrypting is going to be part of your program, so it is there on the client computer as part of the program. Can somebody tear apart the program to see how the encryption is being done and decrypt it? Certainly, with some amount of effort. All encryption strategies, at that point, are all about making it too difficult for a person with a certain amount of skill and motivation, but with the expectation that a sufficiently motivated person can still crack the encryption because they'll have the program that does the encryption.

    So, you're always needing to think about who it is you are protecting the data from when thinking about how to secure the data.
    Alright, thank you for sharing that- I understand what you are saying. You mentioned using a server to help secure data. Would a local database provide the same security?

    If you can work through a server, then you can store the data on a server, and only offer up what the client wants to see.
    So if I created a database that only stored that key, is there some functionality that would allow only my application to access the database to retrieve that key? Or perhaps something similar...?

  6. #6
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    38,989

    Re: Hiding / Avoiding Hardcoded String

    Possibly. Some versions of Access could be locked with a password, for example, and other databases certainly have security features. I have no idea how secure that password protection is. Of course, your application will have access to the database, and the credentials for the login will be yet another string located in some fashion in your program. Therefore, a sufficiently industrious person could still get through, because they would be able to obtain a valid login with some amount of effort.

    I suppose that if you wanted the most security for some resource, you'd keep it on a server in your possession, and only allow access to it via a web service.

    I'm fortunate not to have to deal with anything like that, though, so I don't know it all that well. What I know is: If the prize if sufficiently valuable, people will put in impressive effort to pick the locks. When Id Software put out Wolfenstein 3D, they put a hidden level in the game with a hidden area that led to a maze containing a single word. The intention was to run a competition where the first N people to tell them the word would win something. The competition never happened, because as soon as the game hit the street, people hacked the code to get the word, rather than trying to find the way to the secret level, as intended. The prize was insignificant, too, so people were willing to hack that code just because they could prove that they could by finding the word. So, it doesn't take a whole lot of incentive.
    My usual boring signature: Nothing

  7. #7

    Thread Starter
    Lively Member kshadow22's Avatar
    Join Date
    Dec 2014
    Location
    Kentucky
    Posts
    95

    Re: Hiding / Avoiding Hardcoded String

    Quote Originally Posted by Shaggy Hiker View Post
    Possibly. Some versions of Access could be locked with a password, for example, and other databases certainly have security features. I have no idea how secure that password protection is. Of course, your application will have access to the database, and the credentials for the login will be yet another string located in some fashion in your program. Therefore, a sufficiently industrious person could still get through, because they would be able to obtain a valid login with some amount of effort.

    I suppose that if you wanted the most security for some resource, you'd keep it on a server in your possession, and only allow access to it via a web service.

    I'm fortunate not to have to deal with anything like that, though, so I don't know it all that well. What I know is: If the prize if sufficiently valuable, people will put in impressive effort to pick the locks. When Id Software put out Wolfenstein 3D, they put a hidden level in the game with a hidden area that led to a maze containing a single word. The intention was to run a competition where the first N people to tell them the word would win something. The competition never happened, because as soon as the game hit the street, people hacked the code to get the word, rather than trying to find the way to the secret level, as intended. The prize was insignificant, too, so people were willing to hack that code just because they could prove that they could by finding the word. So, it doesn't take a whole lot of incentive.
    Nice, it is interesting to hear that about Wolfenstein as it does bring a lot understanding to what you are telling me. I think between what you have shared with me and peterst, total security on something like this could be impossible or extremely difficult. I'll set my goalto secure my application by "security through obscurity" and keeping in mind that this is a project that, unfortunately, cannot give complete security for unless I implement a server in which only I have control of. I think for future programs, the server idea would be a ideal if I made a profit off of the software, however, the software I am working on is non-profit and that will have to be a part of the limitations to it being freeware.

    Thank you for your time- it was very greatly appreciated! You went beyond and gave me a great response. Thanks!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width