Solved

secure mysql data from vb.net app

Posted on 2014-10-07
2
476 Views
Last Modified: 2014-10-08
Hi all ehre is my question:

I have a litle app to connect to a remote mysql database wich will be used by some clients, but the data server address, database name, user and pass is inside my app I want to know of someone wuould be able to dissamble my app and get that information to connect or get all the database (and edit it); how safe is thhis? and if theres is a way to block the comand to list all the tables inside the database, so if somebody even when he gets the server addres and user.. he would not be able to list the users. any ideas?
0
Comment
Question by:carloselfaite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Accepted Solution

by:
Olaf Doschke earned 500 total points
ID: 40367684
You described the core of the problem. Any .NET code is easier to decompile than C/C++ code. But in that case to get at a connection string you wouldn't even need to decompile an EXE or DLL, just looking at it with a hex editor will reveal internal string literals, also connection strings.

So you will want to encrypt the connection string. When you have the connection string encrypted with a key, you'd store the key inside a keystore, protected with a passphrase, the passphrase stored... you see where this is going? At the end of this chain, there's some relatively small piece of information that if you obtain it - you can pretty much break the whole chain.

In the end you can only be safe by keeping some secret outside of the executable, eg let users enter a password/key/passphrase, which decrypts the connection string.

That way you somewhat need to trust users not reveal this password, but you also don't give them the info needed to go into the database directly.

Besides that solution trusting users, the end of the key chain may be a hardware security module (HSM) or a dongle. Even that way you trust at least one admin adding the dongle to some server.

All other things depend on security by obfuscation.

An MS SQL Server database offers connections via the windows account authentication. That moves the problem to the security of each users windows account and you can grant or withdraw permission to windows accounts or windows user groups. So you could have a minimum local MSSQL database containing the MySQL connection string or a key for it's decryption and get it from there with a connection string you can leave in your executable unencrypted. The chain of credentials then ends at each users windows account password.

Bye, Olaf.
0
 
LVL 4

Author Comment

by:carloselfaite
ID: 40369240
thanks I have done encrypting the conection string with 3des !
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The ECB site provides FX rates for major currencies since its inception in 1999 in the form of an XML feed. The files have the following format (reducted for brevity) (CODE) There are three files available HERE (http://www.ecb.europa.eu/stats/exch…
This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question