Protecting your code with click once

D

Daniel

Hi Guys

I remember some strong naming things and keys that i read but cannot recall
how to use it. However i am now using CLick Once deployment.

Is my code safe when i deploy this way or do i have to do anythign with it
before deployment to ensure peopel cant back engineer my executables and
dlls etc

Thanks
 
D

Daniel

Thanks Jon,

So are you saying based on that, that i can make my code harder to read but
thats all?

I definitely used a thing which required making a key for the assembly that
did some kind of encryption on my code. I just can't recall it that well.
Again all to make it harder to view any of the code. It stopped a standard
desembler showing vital info. This isn't mentioned in that article.

In fact the article seems to imply that, you can make it hard, but you can't
stop it and really you can't make it that hard either. Am i right? This is
quite a worry?
 
D

Daniel

Also....i just used the reflector app. On my code it worked, i could see
everything. Scary to be honest.

On other apps on my comp i got a CLR header not found and it was safe, i
couldnt back engineer their code. Why can't i do this with mine?
 
J

Jon Skeet [C# MVP]

Daniel said:
Also....i just used the reflector app. On my code it worked, i could see
everything. Scary to be honest.

On other apps on my comp i got a CLR header not found and it was safe, i
couldnt back engineer their code. Why can't i do this with mine?
Click to expand...

Reflector works with managed applications. Presumably the other
applications on your computer aren't managed ones (i.e. they don't use
..NET).

Do you have any real evidence that you need to be concerned about this?
What *exactly* are you worried about, in terms of actual cost to you?

Jon
 
D

Daniel

My app uses a RNG and deals with real money transactions regularly.

The rng is on the server side so should be fine but there is code shared
between client and server. I dont see a way to do any major problems as
server handles the actual logic so they would only be able to hack the way
things appear on their screen and not actually the servers handling of it.

But, the fact someone can easily see my code, and spend all day if they
wanted to looking for a hole is a clear concern. If they found a hole and
exploited it, peoples accounts with real money could be effected. I cant be
more specific at this time i am afraid.

So it is a concern to me. If there is no way round it my alternative would
be to rip as much as i possibly can out of client side code, and even make
duplicate lightweight copies of classes that are shared between client and
server. As well as many checks for malformed packets and so forth that could
be generated by a hacked client.
 
J

Jon Skeet [C# MVP]

Daniel said:
My app uses a RNG and deals with real money transactions regularly.

The rng is on the server side so should be fine but there is code shared
between client and server. I dont see a way to do any major problems as
server handles the actual logic so they would only be able to hack the way
things appear on their screen and not actually the servers handling of it.

But, the fact someone can easily see my code, and spend all day if they
wanted to looking for a hole is a clear concern. If they found a hole and
exploited it, peoples accounts with real money could be effected. I cant be
more specific at this time i am afraid.
Click to expand...

If your code has a security hole, then preventing someone running the
client from working out what it's doing isn't going to remove that
security hole. It may make it a *little* less likely to be found, but
any code which can be run can be examined. It's harder with unmanaged
code, but still possible.
So it is a concern to me. If there is no way round it my alternative would
be to rip as much as i possibly can out of client side code, and even make
duplicate lightweight copies of classes that are shared between client and
server.
Click to expand...

Ideally, the client side code should be lighter weight anyway, IMO.
As well as many checks for malformed packets and so forth that could
be generated by a hacked client.
Click to expand...

You should be making those checks anyway - otherwise any security flaws
would still be there. Security through obscurity is not true security.

Jon
 
D

Daniel

Yes yes i know all this Jon lol. But i'd rather know about security
potential issues at this stage. As much as i want to say i am perfect and
will patch every possible hole, i have to assume i wont. So i need to know
just how likely it is, if i leave one that my code could be explouted.

Going by your comments i pretty much have to make this perfect, and that
does scare me. I am no timpressed how eaily managed code can be reverse
engineered.

Thanks for the help/advice
 
J

Jon Skeet [C# MVP]

Daniel said:
Yes yes i know all this Jon lol. But i'd rather know about security
potential issues at this stage. As much as i want to say i am perfect and
will patch every possible hole, i have to assume i wont. So i need to know
just how likely it is, if i leave one that my code could be explouted.

Going by your comments i pretty much have to make this perfect, and that
does scare me. I am no timpressed how eaily managed code can be reverse
engineered.
Click to expand...

Well, try an obfuscator - it will make the code a lot harder to read.

Unmanaged code can be reverse engineered too, of course - have you
noticed how almost no PC game goes uncracked? Given that there's money
involved, how sure are you that people wouldn't reverse engineer the
code however hard it is?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IE7 hangs with "Click Once Deployment" any fixes? 5
Click Once vs Server Deployment 4
extending a click once application with plugins(deployment issue) 1
Click once deployment and .net 2 4
Click Once 2
Click once and change of server 3
Sql Server express 2005 deployment 10
Is this possible with clickonce 2

Top