On Fri, Feb 02, 2007 at 07:20:04 +0900, Paul Lambert <paul.lambert@xxxxxxxxxxxxxxxxxx> wrote: > How? Use a debugger. > If it is encrypted within the source code then the only way to steal the > credentials would be to reverse engineer the application. And if someone > is going to do that then you can be relatively assured that they are > going to do anything and everything to get around whatever other > security you can offer. At which point you could send the law after them > for breach of copyright or other such law - at least that is the case > down here in Australia. > > We have an application which connects to a database in MySQL. Each user > has their own username/password to log onto the application which does > so through authenticating against a users table in the db. The > application itself has hard-coded within a username/password to get the > initial access to the database. With somewhere in the vicinity of 1,000 > people using this particular application we've not seen a case of anyone > accessing it using anything other than our application. I imagine most people's customers don't try to work around broken security. The scheme you have described above is broken. > >You want to either run the app on a computer you control > > It's not always feasible to host the application main on your own > server. Depending on network distance, traffic, size of application, > number of users etc, it could require some extremely high spec hardware > to host and beefed up network connections. This is not possible for a > lot of service providers out there, not to mention that those willing to > reverse engineer the software (or run packet sniffers and decrypt > network traffic) to get the password out of it would still find a way of > determining the password your hosted app is using. > > >or have a contract > >with the customers prohibiting them from connecting to the database other > >than > >by using the app. > > If customers access a database hosted by a service provider it is > generally the norm to have some clauses in the contract pertaining to > data protection and ownership making "access to provider hosted data by > any means other than those authorised by the provider" a breach of contract. Well, then that is really your protection. The above security by obscurity is just a way to help keep the honest people honest.
