c# protect a database connection string in Settings prevent Decompiling?

Question

Is there anyway to prevent people from using Reflector.net to decompile my .exe c# application? I know there is a tons of post about this but I don't really care if people can see my code the only thing I want to "hide" is my database connection string.

I am currently using "Settings" in my c# to keep the database connection's info. I wanted to know if using those string in my project's Settings would prevent people from seeing it ?

I am using DotFuscator in visual studio 2008 but I heard it wasn't preventing people from decompiling my program.

I know I could use a Web Services but my server will be on linux so I guess I can't store web services on Linux.

Answer 1

No. Even if you encrypt the connection string in the program code or in a settings file, you will need to decrypt it, and the program must necessarily contain the decryption key somewhere, which means that someone who is interested enough in finding it will find it, no matter how creative you are in hiding it. Why do you need to hide the connection string? If you are afraid that someone who has your program might call the web services directly and trigger unintended actions, you should look into how the web services are structured, what they allow clients to do, and how the authorization works, and make security improvements there instead.

Answer 2

If your program has the connection string in it, users of your program can get it back out. Even if you encrypt it, they can sniff it when your program connects to the DB server.

If you don't want your users to know your DB login credentials, don't give your DB login credentials to the users. That's the only way.

You could do this by instead giving each user their own credentials, and using the permissions system in the DB server to control what they can or can not do.

Answer 3

As others have stated obfuscation is no real protection for a connection string stored in a client application where the user have access to the binaries.

Don't use a direct database connection from your program unless the user is trusted to use the database directly with the same privileges. Have a service (web service, REST-service, etc) in between that you host on your own server. Linux can host services of any of those types I mentioned (use Mono if you want them in .NET on Linux)

In order to expose your database via a web service using Mono or any other language/framework you can host on Linux you would create a web service method for each atomic operation you want to perform against the database.

An additional advantage over letting the client application access the database directly is that when the client application is using a service between itself and the database you are free to change your data store without affecting the client. You can decide to change the database schema in your database or replace the database with a NOSQL solution or even a flat file.

Having a service instead of communicating directly with the database moves the authentication/authorization requirement one step, so now you need to implement it in the service. Fortunately there is rich support for authentication in a web service.

Answer 4

Take a look at this guide on this specific topic from MSDN. Keep in mind, however that this only shifts the security burned. Now you need to manage the security of the key