Security - SeeSharp

Key-Gen for .NET Apps!

2009-10-18T14:02:01.123

You all know that .NET generated application convert the high-level codes from source language (e.g. C#) and converts them to IL. Basically, if you could convert the IL code back to the high-level language, you'd have the original source code of the application, and to some extent, you can do this, but this is the story for another post. Today, I'd want to show you how your public licensing API would provide a very easy way to crack open your own application.

Note: I take no responsibility for how you use the piece of information. By reading these instructions you accept the sole responsibility of any illegal use. The names and information provided here are changed to save the innocent.

Suppose you've put a lot of energy and time and written your state-of-the-art application and you've released it to the market. After a while some junior software developer tries to inspect your assembly to see how you've managed to do a special tricks or two. (Mind you, that's not what I'd suggest you do, dear reader, because you might end-up facing copyright infringement lawsuits). Now when he's inspecting the API, he encounters your licensing API, and even worst, those API are public:

public class RSALicenseCodec : IEncoder, IDecoder
{
}

public class License
{
   public Guid LicenseId = Guid.NewGuid();
   public DateTime EndTime;   public string LicensedTo;
   public DateTime PurchaseDate;
   public LicenseType Type;
   public DateTime StartTime;
}

public static string LicenseToKey(IEncoder encoder, License license)
{
}

public static License KeyToLicense(IDecoder decoder, string key)
{
}

Note: Actual implementation was cut off!

Now with all these public API, only thing between a novice developer with bad intentions and a perfect key-gen to for application, is the copyright infringement lawsuit! Do you think that alone is enough?

I don't want to give you the idea that by only making these API private you're safe, no. There are a lot of things you should do before you're even close to being safe with hackers and crackers, but in my opinion taking all the care would no save you either. Almost nothing can stop a motivated cracker.

Application Security : The Very Least

2009-09-27T08:27:58.837

When developing applications, security measurements should be thought of upfront. Security is even a greater issue when the application exposes an online data source, transfers sensitive data across the wire, etc. But what happens when a careless developer hard-codes significant security information into the application code, without even obfuscating the application? Well, you WILL get hacked sooner or later. Your system will be misused without you even knowing it, and let's hope you have a backup strategy, because there is a change that your whole database will be erased by malign hacker. Don't you agree?

Connection string is hard-coded into the application code.

Here's what I think you should consider when building application that works over the Internet :

Never hard-code any username / password into the application
Never store passwords in configuration files.
Never connect directly to your database, use a service layer instead. Limit the physical / logical access to your database machine only to the server running the service layer.
At least obfuscate the assemblies that contain security related code.
Always store encrypted passwords in your database. That goes for application users' password as well. Apply salt to all passwords.
Consider using two separate databases for your web site and application.
Consider using an ORM for your data access. At the very least use Stored Procedures or parameterized queries if you're directly using ADO.NET.
Always use a logging mechanism. Log actions performed by power users. Log unsuccessful login attempts.

Password are stored as clear text. Power-User Validation is hard-coded into the code.

Honestly, the list is so long that I had to limit it to the VERY BASIC rules only, like things you think everyone knows, but as it turned out there are people out there that do not. Even if you do all the above there's a good chance that you still get attacked, but these are the VERY LEAST rules that you should always follow.

Note : Pictures are taken from a real application! Sensitive information are erased to protect the innocent(!).