If you have sensitive login information to a service, how to you protect it in code from people who might decompile your app?
For example, I have code like this that talks to AWS. How would I protect my secret key? I could encrypt the property locally but it would have to be decrypted before it was used to login (via the handy MBS Curl utility) and that presumably would make it insecure.
// Prepare the cURL for the S3 API call.
Dim CurlSetup As Boolean = Curl.SetupAWS( AccessKey, SecretKey, Region, Service, Path, Domain, Verb, HashedPayload, Headers )
One easy way to do this is to make a method and convert the entire string to chr() calls. If you want to add another layer, use an array and jumble the order when the array is created and sort them out before returning.
Also, make sure you are solving a problem that you actually have. As Sam said, an experienced hacker can access anything they want to, but that also usually means physical access to the machine, which also means having had compromised one of the humans that use that machine, etc.
Yes, that’s true, but is it readily obvious that your app does this and is the information sensitive enough that a hacker is going to seek it out and use it nefariously?
Dealing with hackers is always a balancing act. To put it simply, you need to make it complicated enough that they realize that there are other easier targets in terms of time and reward, but not so complicated that you spend all of your life protecting it from them.
Think of alarm system signs on a house. If someone were to see one in your yard, that’s often enough to have them move on to another location without even checking to see if you are home because there are other homes with equally valuable things in them which don’t have intrusion detection systems.
Unless they know that you have something that no one else has and which they really want. Same as hackers.
keep in mind that a dll can be replaced by a dll with the same name and methods to read all parameters.
and this special dll call the real dll methods then. you will not notice this.
instead of giving all apps/users the same “password” its better that each user have its own login or secret.
So for every call to AWS, my desktop app would have to talk to a custom web app to relay the information? That kinda feels like it defeats the purpose of AWS…
Hmmm. One of the reasons I’m using AWS is because I’m hammering it with dozens (later hundreds) of read requests a second and its cheap. So my on web app would have to generate all those URLs each time?