views:

294

answers:

2

I'm writing an application in C# for a smart device running Windows Mobile 6.1. It's pretty basic. Just querying a database and getting results. Nothing too fancy.

This program is only going to be deployed internally, but we still want to be secure with our SQL connection info.

What's the best way I should go about encrypting/securing my connection string in the program? I've seen examples for .NET programs using AppSettings, but I'm not seeing a Setting stab in my Solution properties.

This is my first time developing an application in C#/Visual Studio 2008, so there might be some kind of setting I'm missing.

Thanks for the help.

A: 
Mr Roys
Yes, it works with CF 3.5 and VS '08.
ctacke
+1  A: 

Be aware that if it's in your program, then it's inherently unsecure. No matter what you do, if the app has the ability to make that secure connection with info it contains, then that info can be pulled out by an experienced hacker with time and desire.

But are you that concerned about that level of threat? Obviously just throwing it into an app.config file is about as low-security as you get. All that has to happen is that someone opens the file with a text reader and ta-da, they have your credentials.

Maybe you would want to store an encrypted version in the config file and keep a private key in your app. At least a text reader can't "break" it. Of course someone might use reflector and decompile your app to get the private key.

Well you could obfuscate the app. That would make it harder to find that private key. Yes still not impossible.

Maybe you want that private key to be pulled off of a server through a web service or something. Then if someone has the app, they can't get it - though they can always reverse engineer how the web service call is made. Or do a man-in-the-middle and look at the key on the network.

Maybe you could use SSL to protect the transmission. Maybe do MAC filtering on the service to make it more difficult for an unauthorized device to get the key.

You can see the progression here. Each level of security requires more and more work. More and more maintenance. You have to decide what the return on the investment is going to be for your scenario and pick a level of security you're comfortable with for the amount of effort you're willing to spend on it.

ctacke