Reverse engineering compiled Xojo programs

I was thinking of putting some confidential information in a Xojo program but I wondered if it were possible for a hacker to reverse engineer the code and get the information out again.

If so, is there any way to make it more secure. The program itself would need to access the information.

Strings can be read in your app by a binary scanner. Confidential information should be obfuscated at the very least or encrypted if possible so you can’t do that.

Hi Bob, I was just about to say you could look at Obfuscate from BKeeny

I use arrays of 2 byte characters (out of order) and then join them at runtime.

You could, but I wouldn’t use it for large amounts of text though as it would be really, really slow.

And if you use ‘Encrypt Class’ in de IDE? Is the code then more safe against reverse engineering?

No. This setting has no effect on the built app; it just “protects” the source from being readable in the IDE.

There is nothing you can do to keep the information provided within your app confidential from a determined, knowledgeable person. If you encrypt it, you have to include the password in some form within the code. If you obfuscate it, your app has to have code to un-obfuscate it, and that code can be found.

All you can do is make it tougher, not impossible.

If the confidential information will be provided by the user, then you can create an encrypted SQLite database (or use some other encryption) to store it with the user’s password. As long as you take steps to make sure the password is not weak, that’s the best you can do.

[quote=90216:@Kem Tekinay]There is nothing you can do to keep the information provided within your app confidential from a determined, knowledgeable person. If you encrypt it, you have to include the password in some form within the code. If you obfuscate it, your app has to have code to un-obfuscate it, and that code can be found.

All you can do is make it tougher, not impossible.

If the confidential information will be provided by the user, then you can create an encrypted SQLite database (or use some other encryption) to store it with the user’s password. As long as you take steps to make sure the password is not weak, that’s the best you can do.[/quote]
This is true of all software, it is not a limitation of Xojo.

[quote=90197:@Steve Hill]I was thinking of putting some confidential information in a Xojo program but I wondered if it were possible for a hacker to reverse engineer the code and get the information out again.

If so, is there any way to make it more secure. The program itself would need to access the information.[/quote]

Strings are stored as plain text, so it is pretty easy to find. You can store small amount of text encrypted with the build in class Crypto. It is safe, but in order to access the encrypted data you need to use the password and save it in your program as well. So it becomes the weak link. There are many methods to obfuscate a password ; general rule is break it into small portions that could be XORed and scatter them in several places so they are difficult to find, then find a way to assemble them through methods scattered themselves for dynamic use in order to decrypt.

Why don’t you drag a small image into your project, then using the picture to string method use this as the password to decrypt your pre-encrypted personal information which is in your binary. By using this method the password would not be in your binary but would be stored as a picture resource in your bundle.

Yes (just to reinforce). Forget pictures, xor’s, swaps, etc. If some hacker wants that encrypted info (that carries the decoder together), he will get it, easily.

Sure, you can’t stop a determined hacker. But it is still prudent to employ some of those techniques to deter the casual hacker/looker.

Like most things the easier it is to do the more likely it is to happen
If you leave keys in your car in the ignition & the doors unlocked you’re likely to have your car “stolen” (most insurance policies won’t even cover this case)
If you lock the doors that prospect goes down
If you lock the doors & theres no no keys then the likelihood is very high that folks will move on to something else

SOME hackers relish the challenge and will go after the hardest thing they can find just because they can
Those you’ll never stop but you can make it hard enough that the folks who pick on the easy things will move on to something else thats easier

Yes, Tim. But always have in mind the extent of the damage caused by that data being discovered. Does it just allow someone copy your $60 program for free? Or it allows someone to get in the database of your company with administrator rights?

I think you’ve mis-interpereted what he meant.

This is elementary stenography :wink:

I don’t think so. I agreed with Tim.
Just complemented the info with a warning about something not discussed: extent of damage after exploits.

Facts:

  1. Including plain sensitive data inside a executable can be found by anyone.
  2. Some simple hiding techniques can be found by the casual attacker/curious.
  3. No one can deter a real advanced attacker from finding a hidden secret inside an app that decodes that secret.

And because of the fact #3 I made my comment about Tim’s statement.
You can obfuscate some things, #1 and #2 probably will not happen, but #3 can happen, and one must have in mind the consequences (must be minor) and think about damage control in case of being discovered.

I meant to say steganography. Sorry.

While that’s a clever way of hiding information, that’s not what he meant. He was saying that the picture itself could be converted to a string at runtime which, in turn, would act as a password for traditional encryption. Very clever, and raises the difficulty level.

Still, anyone who has the expertise and tools to trace the code may be annoyed, but not fooled.