Hi,
Searching the web for encryption of the executable file produced by XOJO, I found nothing. However, the threads were dated 2022.
I was wondering if it’s currently possible to do so using the framework itself or third-party software.
Thanks
Some questions for you:
- What is your goal?
- How do you expect an encrypted executable to run?
- Are you asking about this just because you heard some buzzwords?
There are packer tools, but they don’t work well with Xojo.
You aren’t achieving anything by doing this. If you think you’re protecting your resources / image assets – you’re not for a multitude of reasons I won’t regurgitate here.
2 Likes
Hi TIm,
Inside the source code there are the access coordinates to the SQL archives and I would not like anyone to be able to view them through a debug of the executable.
Coordinates and credentials
It is unwise to distribute an executable to the public if it contains credentials you can’t have leaked. That’s just all there is to it.
There are string obfuscation tools floating around, but they all have to be re-pieced together at some point and if your credentials really are that interesting, that’s when someone will get them. Encrypting the executable won’t really stop that.
You won’t like it, but the best recommendation anyone can give you is to implement a safe REST API for your application to interact with the database. It is unsafe to connect to a remote database directly unless you are in control of every part of the software usage process (meaning in-house apps).
Hi Tim,
It’s true that encrypting the executable doesn’t completely prevent the viewer from viewing values inserted into the source code, but it significantly reduces this possibility.
As of now, I believe (and I still have to verify) that opening the executable with any editor would be sufficient.
Obfuscation will only stop casual onlookers. Encryption isn’t going to benefit you at all, the executable has to be decrypted to run. Packer tools don’t work with Xojo executables.
If someone is interested in the credentials you have bundled into the app there is no way to stop them. That is why you cannot bundle credentials.
At the simplest, imagine you have a username and password
The username is Toad, the password is Hall
At some point, you need to use those to login, or send a web request.
You can hide the words in your app.
Maybe you pad the length, and shift the letters by 1
PADTOAD becomes a string QBEUPNE in your EXE
So anyone using a hex editor sees QBEUPNE - the user name is not obvious.
But at the point where you use it, you will use a bit of code to take the 4th character onwards, shift the letters down, and now ‘in memory’ you have the word TOAD in a string variable.
That’s not impossible to watch using hacking tools.
And if you send that word as a network message or login, the call could be intercepted while the word is in plain text.
So we’re not saying obfuscation is useless, but it certainly isn’1 100% secure.
I am. It is mostly useless.
Obfuscation, cyphers, anything that has to be re-constructed in memory is mostly useless. I described above why that is.
1 Like
OK. I understand the concept and the method.
Thanks, Tim,Jeff