Solved

secure mysql data from vb.net app

Posted on 2014-10-07
2
453 Views
Last Modified: 2014-10-08
Hi all ehre is my question:

I have a litle app to connect to a remote mysql database wich will be used by some clients, but the data server address, database name, user and pass is inside my app I want to know of someone wuould be able to dissamble my app and get that information to connect or get all the database (and edit it); how safe is thhis? and if theres is a way to block the comand to list all the tables inside the database, so if somebody even when he gets the server addres and user.. he would not be able to list the users. any ideas?
0
Comment
Question by:carloselfaite
2 Comments
 
LVL 29

Accepted Solution

by:
Olaf Doschke earned 500 total points
ID: 40367684
You described the core of the problem. Any .NET code is easier to decompile than C/C++ code. But in that case to get at a connection string you wouldn't even need to decompile an EXE or DLL, just looking at it with a hex editor will reveal internal string literals, also connection strings.

So you will want to encrypt the connection string. When you have the connection string encrypted with a key, you'd store the key inside a keystore, protected with a passphrase, the passphrase stored... you see where this is going? At the end of this chain, there's some relatively small piece of information that if you obtain it - you can pretty much break the whole chain.

In the end you can only be safe by keeping some secret outside of the executable, eg let users enter a password/key/passphrase, which decrypts the connection string.

That way you somewhat need to trust users not reveal this password, but you also don't give them the info needed to go into the database directly.

Besides that solution trusting users, the end of the key chain may be a hardware security module (HSM) or a dongle. Even that way you trust at least one admin adding the dongle to some server.

All other things depend on security by obfuscation.

An MS SQL Server database offers connections via the windows account authentication. That moves the problem to the security of each users windows account and you can grant or withdraw permission to windows accounts or windows user groups. So you could have a minimum local MSSQL database containing the MySQL connection string or a key for it's decryption and get it from there with a connection string you can leave in your executable unencrypted. The chain of credentials then ends at each users windows account password.

Bye, Olaf.
0
 
LVL 4

Author Comment

by:carloselfaite
ID: 40369240
thanks I have done encrypting the conection string with 3des !
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
category table 2 25
How to retrieve a mysql date column that has 0000-00-00 in vb.net 8 35
mysql date time 14 31
Creating Functions in phpMyAdmin 8 18
Creating an analog clock UserControl seems fairly straight forward.  It is, after all, essentially just a circle with several lines in it!  Two common approaches for rendering an analog clock typically involve either manually calculating points with…
Creating and Managing Databases with phpMyAdmin in cPanel.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question