.app .exe security question

If I compile an encryptionKey into my app, is there any way it can be opened with a text editor or otherwise hacked and find the key value. I know would be an arduous tasks, but is it possible.

I have tried to open both the .app package and then try to open the components unsuccessfully. But how secure is compiling a password into the code?

It isn’t secure at all. It would be very easy to examine all the strings in your exe and pick out a password.

You can swap bits of encryption key with XOR and make small encode/decode function which you will call then when you want to use symmetric key.
Other wise you can let say store a PrivateKey inside app and also do a same thing but to use for example HASH value of PublicKey with some sub-string extra on it e.g. Hash(Hash(PublicKey) + GUID) As Password which will be then decrypted with inside app PrivateKey.

Thanks Tim and Bogdan! I’ll do some bit swapping so it can’t be read. thanks again

When I read this, I thought this was true… that string data was stored in clear text, as that made perfect sense from a compiler point of view…

So as a Test I created a program that consisted of ONE data entity… a Constant string with a unique value…
I compiled the app, and the search the executable file within in the bundle (macOS)… that string was no where to be found.

Not that I would use this observation to indicate that strings are secure, as I still believe they are not… .it was just curious.

Do you mean a string constant, or a quoted constant inside code (dim x as string = “abcd”)?

A constant isn’t part of the compiled program unless you use it. A constant is just a bit of syntactic sugar. The compiler replaces the constant name with the value wherever it appears.

Just use one of ideas which I posted and your okay and good to go till someone don’t digg too much with recompiling and re-resourcing aka. doing reverse engineering but even then it’s a bit tricky and find to connect dots.
It’s better then to put as var value or const after all.

Do you have access to a web server? Place a highly encrypted text file on that server that contains the encryption key. Download the file, decrypt it, then you have it. If you ever need to change the encryption key, you can change the web server file without having to issue a new version of the application!

And make sure the URL is sufficiently hidden in the app as well.

[quote=356516:@Dave S]When I read this, I thought this was true… that string data was stored in clear text, as that made perfect sense from a compiler point of view…

So as a Test I created a program that consisted of ONE data entity… a Constant string with a unique value…
I compiled the app, and the search the executable file within in the bundle (macOS)… that string was no where to be found.

Not that I would use this observation to indicate that strings are secure, as I still believe they are not… .it was just curious.[/quote]

Just out of curiosity, I did the same and took the post from @Tim Hare under consideration.
The code in Window1.Open is (where key is a string constant with the value of “testvalue”):

system.debuglog key

The string shows up in Hopper Disassembler as:

And in TextWrangler:

So the hardcoded strings would be somewhat difficult to pick out of the rest of the code, but can definitely be found in plain text.

Using web server as back office support isn’t good idea since can be fingered and it would be a possible to alter PKI which you get from (remote) URI same as data which come from (remote) URI but also with other validation data which are part of validate process in app. It’s better to skip it.

Also by doing remote access from app, if firewall app is present, also can make blocking outbound connection to remote side and app will not work plus extra you can’t force user to have internet connection on workstation where app is.

So binding private key in app which is obfuscate as val in app with some tweaking is good to go as long as they don’t get public key and way how things are working (doing decoding and decrypting in app using PK) to do in app validation process.

I have this IDE Script that I use to obfuscate important strings. It’s not bulletproof, but it’s quite good, and doesn’t leave the string in plain text in the binary. It was originally written by @Kem Tekinay but I don’t have a link to the original posting any more. I’ve also made formatting changes (that satisfy my code style).

To use, select the text you wish to obfuscate in the code editor and run the script. The output decoding block is wrapped in an if true statement for visual clarity and so that the string goes out of scope fast (with a small optional change).

Function RndInRange (startIndex As Integer, endIndex As Integer) As Integer
  dim d as Double = Rnd
  dim range as Integer = endIndex - startIndex
  return Round(range * d) + startIndex
End Function

dim origString as String = SelText
if origString.Trim = "" then
  Print("Obfuscation Error" + EndOfLine + EndOfLine + _
  "Please select some text to obfuscate before running the IDE script.")
  return
  
end

origString = origString.ReplaceAll("""""", """")
dim chars() as String = Split(origString, "")

dim startQuote as Boolean = (chars(0) = """")
dim endQuote as Boolean = (chars(chars.Ubound) = """")

// Attempt to automatically remove surrouding quotes
if endQuote then
  chars.Remove(chars.Ubound)
end if

if chars.Ubound <> -1 and startQuote then
  chars.Remove(0)
end if

// Did the previous create an empty string?
if chars.Ubound = -1 then
  Print("Obfuscation Error" + EndOfLine + EndOfLine + _
  "Please select some text to obfuscate before running the IDE script.")
  return
end if

dim stringToEncode as String = Join(chars, "")

dim index as Integer
dim codeArr() as String
dim indexArr() as String
dim addArr() as String
dim randomizerArr() as Integer
for index = 0 to chars.Ubound
  dim thisAdd as Integer = RndInRange(64001, 100000)
  codeArr.Append(Str(Asc(chars(index)) + thisAdd))
  indexArr.Append(Str(index))
  addArr.Append(Str(thisAdd))
  randomizerArr.Append(RndInRange(0, chars.Ubound * 100))
  
next

randomizerArr.SortWith(codeArr, indexArr, addArr)

// Construct the code
dim resultArr() as String

resultArr.Append("dim sDecodedString as String")
resultArr.Append(EndOfLine)
resultArr.Append(EndOfLine)

resultArr.Append("// Encoding for value: ")
resultArr.Append stringToEncode
resultArr.Append(EndOfLine)

resultArr.Append("if true then")
resultArr.Append(EndOfLine)

resultArr.Append("dim ariCode() as Integer = Array(")
resultArr.Append Join(codeArr, ", ")
resultArr.Append(")")
resultArr.Append(EndOfLine)

resultArr.Append("dim ariOffset() as Integer = Array(")
resultArr.Append Join(addArr, ", ")
resultArr.Append(")")
resultArr.Append(EndOfLine)

resultArr.Append("dim ariIndex() as Integer = Array(")
resultArr.Append Join(indexArr, ", ")
resultArr.Append(")")
resultArr.Append(EndOfLine)

resultArr.Append("ariIndex.SortWith(ariCode, ariOffset)")
resultArr.Append(EndOfLine)

resultArr.Append(EndOfLine)

resultArr.Append("dim arsDecodedChars() as String")
resultArr.Append(EndOfLine)

resultArr.Append("for i as Integer = 0 to ariCode.Ubound")
resultArr.Append(EndOfLine)

resultArr.Append("arsDecodedChars.append(chr(ariCode(i) - ariOffset(i)))")
resultArr.Append(EndOfLine)

resultArr.Append("next")
resultArr.Append(EndOfLine)

resultArr.Append(EndOfLine)

resultArr.Append("sDecodedString = Join(arsDecodedChars, """")")
resultArr.Append(EndOfLine)

resultArr.Append("end")
resultArr.Append(EndOfLine)

dim result as String = Join(resultArr, "")

// See if we need the initial declaration
if Text.InStr(resultArr(0)) <> 0 then
  for index = 1 to 2
    resultArr.Remove 0
  next index
  result = Join(resultArr, "")
end if

// Figure out where we should paste
dim curText as String = Text
dim curSelStart as Integer = SelStart
dim newSelStart as Integer
for index = curSelStart downto 1
  dim curChar as String = curText.Mid(index, 1)
  if curChar = Chr(13) or curChar = Chr(10) then
    newSelStart = index
    exit
  end if
next index

SelText = "sDecodedString"
SelStart = newSelStart
SelLength = 0
SelText = result
SelText = EndOfLine

Or you try this page. It generates Xojo code. Handy and convenient.

“ThisIsMyPassword” generates:

[code]Function ObfuscatedString () As String
// Obfuscated string output
// Output: “ThisIsMyPassword”

Dim Chars() As String = Array(“Z”, “2”, “V”, “l”, “N”, “9”, “A”, “Q”, “z”, “p”, “X”, “G”, “T”, “h”, “d”, “0”, “=”, “Y”, “y”, “c”)
Return DefineEncoding(DecodeBase64(Chars(2) + Chars(11) + Chars(13) + Chars(9) + Chars(19) + Chars(15) + Chars(3) + Chars(8) + Chars(12) + Chars(10) + Chars(3) + Chars(7) + Chars(17) + Chars(10) + Chars(4) + Chars(8) + Chars(14) + Chars(1) + Chars(5) + Chars(18) + Chars(0) + Chars(6) + Chars(16) + Chars(16)),Encodings.UTF8)
End Function[/code]

Thanks @Alexander van der Linden. I use Bob’s app all the time, and a web site will be convenient too.

Or you may use the obfuscator of Bob Keeney, which makes it pretty difficult to extract the original string:

https://www.bkeeney.com/obfuscate/

Keep in mind that for a determined hacker with a good suite of tools, it will always be possible to pull the password out of memory once it has been decrypted by your program. String obfuscation methods in your EXE get rid of the low-hanging fruit though.

@Bill Plunkett,

Also, read this on protecting your code from hacking attempts: http://www.tempel.org/UsingAquaticPrime

And you may want to explain what you need to achieve and see if we can help you find a safer solution. Maybe there’s no need to have the passcode in your app.