How can I hide a hard coded username and password from a savvy user with a decompiler?

Question

I want to create a simple C# application that uploads a text file to my web server. But to do this I need to have my username and password included in the code. I've tried using the obfuscator that's included in Visual Studio, but after decompiling with a free decompiler I was still able to find them.

Is this possible?

Thanks!

Answer 1

Put it this way - if the username and password reside on the user's computer, and some program has to operate on that data in unencrypted form at some point, it is logically impossible to guarantee they are unable to view it. So the answer is no. It's a logical impossibility.

Perhaps you could create a separate user on your web server with very restricted permissions and use that instead? Then you'd have less to worry about if the user was able to retrieve the credentials from your application.

Answer 2

Perhaps you need to rethink the fundamentals here

1. You can never secure a platform that attackers have physical access to
2. You want to achieve a situation, whereby your users, on their own platform, can submit a text file to your server, but only using your application. Even using SSL, this gets tricky since they can always monitor the HTTP communication
3. You can never trust anything that comes from the internet. Yes, that includes your text file too.

What you should do instead, is configuring the server so that regardless on what is being sent to it, it does not affect your business case.

What are you using that username/password for?

Answer 3

No.

The only way to prevent users from decompiling your code, and seeing everything in it, is not to give them your code, i.e., put the code on a server (under your control) instead of the client.

Consider writing something server-side (WCF endpoint, REST service, or something similar) that lets them send the content via something like an HTTP POST, with no authentication required. Then there's no password to crack, but your server-side code is in full control of what happens to the content that gets sent.

Answer 4

No. You could encrypt them, but you'll need to get a decryption key from somewhere, and its likely that someone determined enough will be able to decompile your code and figure out where that key is.

I suppose you might be able to have a web request that returns a one time username and password.. so your application would call that, get the user / pwd and use it to upload. Once used, you'd need a way to disable / delete that account.

More details might lead to an answer that's more likely to work for you, as maybe my solution is too much for what your concerns are.

Answer 5

Does it need to be in the source code? If this only needs to run on your computer when you're logged in you could store the password in a file and protect it with file permissions.

Answer 6

What kind of access are you talking about ? If user and password is required to make the upload, then it will ultimately be accessible in the code, and even easier, using a proxy / network listening tool. Would it be possible to create a specific user for your application that has only upload capability (not reading any other's files, etc.) ?

Answer 7

You cant rely on code to safely and securely store credentials. You should consider passing the user name and password into your program as parameters and rely on the appropriate operating system security (e.g. windows security) to prevent users from accessing them.

If you are in an environment where you cannot control the windows credentials, you should consider a server side authorization over a secure connection like SSL.