On Fri, Feb 02, 2007 at 07:20:04 +0900,
Paul Lambert <paul.lambert@autoledgers.com.au> wrote:
> How?
Use a debugger.
> If it is encrypted within the source code then the only way to steal the
> credentials would be to reverse engineer the application. And if someone
> is going to do that then you can be relatively assured that they are
> going to do anything and everything to get around whatever other
> security you can offer. At which point you could send the law after them
> for breach of copyright or other such law - at least that is the case
> down here in Australia.
>
> We have an application which connects to a database in MySQL. Each user
> has their own username/password to log onto the application which does
> so through authenticating against a users table in the db. The
> application itself has hard-coded within a username/password to get the
> initial access to the database. With somewhere in the vicinity of 1,000
> people using this particular application we've not seen a case of anyone
> accessing it using anything other than our application.
I imagine most people's customers don't try to work around broken security.
The scheme you have described above is broken.
> >You want to either run the app on a computer you control
>
> It's not always feasible to host the application main on your own
> server. Depending on network distance, traffic, size of application,
> number of users etc, it could require some extremely high spec hardware
> to host and beefed up network connections. This is not possible for a
> lot of service providers out there, not to mention that those willing to
> reverse engineer the software (or run packet sniffers and decrypt
> network traffic) to get the password out of it would still find a way of
> determining the password your hosted app is using.
>
> >or have a contract
> >with the customers prohibiting them from connecting to the database other
> >than
> >by using the app.
>
> If customers access a database hosted by a service provider it is
> generally the norm to have some clauses in the contract pertaining to
> data protection and ownership making "access to provider hosted data by
> any means other than those authorised by the provider" a breach of contract.
Well, then that is really your protection. The above security by obscurity
is just a way to help keep the honest people honest.
