Is my application SECURED.. How to protect ?

Question

3.00/5 (2 votes)

See more:

I made a windows application in C# with SQL database, and I want to sell this application so I protected my application by the following steps:
- Create the serial number of the application based on finger print of the client PC.
- Put this serial number in the database to check it with the finger print whenever the program is started.
Please what is the expected hacking on this application? And how to protect my application against it ?

Posted 27-Feb-11 5:10am

firas_hamzeh

Updated 27-Feb-11 5:14am

v2

Add a Solution

3 solutions

Solution 3

If your app and DB are in the same machine (physically), you could for starters obfuscate your code to make it harder to reverse engineer your files:
blogs.msdn.com/b/ericgu/archive/2004/02/24/79236.aspx

You could also secure the DB connection string by encryption:
http://msdn.microsoft.com/en-us/library/89211k9b(v=vs.80).aspx

Posted 28-Feb-11 6:18am

Mark Vinod Sinnathamby

Comments

firas_hamzeh 1-Mar-11 2:23am

Mr.markFaction, Thanks for your answer
The solutions you recommended were suggested in 2004 and now these solutions are too weak and broken.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Albin Abel · Accepted Answer · 2011-02-27T06:50:00

If you are simply validate the serial number from the DB to the input, it is not secure. The if(input serial== db serial ) is just a simple jump instruction in the disassembly. Change the jump other way is just change a byte value in a hash editor.

What you can do is have the serial digested with a salt and keep the serial and the resulted hash af ter digestion has to be custom encrypted and stored in the global memory. You decryption function should be strong enough, not possible to reverse engineering. Check the validity of this salt digested hash against the serial in many places of your application. So it is not simple a jump, but the hacker not escaped from providing a valuable serial or complete reverse engineering your app.

Apart from that keep the serial in the database encrypted

hope this helps.

I am adding more points here as per your question.

a light weight comparing function based on two global variable will not be a significant issue in performance, so can be called in many places.

Keeping fake function names only help to prevent newbie hackers.

The detailed work flow of what I suggested here is...

1) When use swipe, digest the input serial in a way and store in the app memory. Not the same way encrypted as you did for the original serial. Because if you did the same way this input supposed to result in the same hash you stored in the database. As you are going to get the real hash also in the app, a hacker can swap the real hash to the input hash. Then comparison of both result fruitful. So this input has to hash in a different way than you did for the original hash and it result in a different hash.
2) Get the encrypted serial from the database and store in memory.

3) Now the input hash you stored in step 1 and real hash from database in step 2 has to be subjected to mathematical operations. For example if the user input/ swipe in correctly the mathematical operations may result in zero. Divide a zero with other number will result in a exception. So if incorrect serial is provided it will be result in exception. On the exiting event you can show the message of unauth user.

The basic idea is not using an if condition, but a complex mathematical operation which results in an exception if not provided correct serial.

Checking this function in different major functions of your app doesn't significantly affect the performance as it is simply a few math operations on a two variables in memory which cost a few CPU cycles, not big issue in present day computers. However the little performance issue (though insignificant) will be a tradeoff when security given importance

Mark Vinod Sinnathamby · Accepted Answer · 2011-02-27T05:41:00

Its very hard to say what the security issues in an application is without doing a extensive study of it. If it is a windows application then you should check for common security vulnerabilities in windows client applications. If it going to connect and communicate on a network at some point, then you have a different story. Depends on how your application was built and what it's going to do. If it's got a database, you should start with the preliminaries: SQL injection attacks, password hash attacks etc.

Is my application SECURED.. How to protect ?

3 solutions

Solution 2

Solution 1

Solution 3

Add your solution here

Preview 0