Can anyone recommend resources (articles, books, etc...) on delivering secure applications? The deliverable is a desktop application (.net code). The objective is to make the product really hard to crack (of course 100% is not possible).

Any tips on your own personal experiences would be very helpful.

Thanks in advance,

Gabe

phantommig21 wrote:

Can anyone recommend resources (articles, books, etc...) on delivering secure applications? The deliverable is a desktop application (.net code). The objective is to make the product really hard to crack (of course 100% is not possible).

Any tips on your own personal experiences would be very helpful.

Thanks in advance,

Gabe

What do you mean by secure? What scenarios do you envision it being "cracked?"

mikeg22 wrote:

What do you mean by secure? What scenarios do you envision it being "cracked?"

Just looking for info on ways to prevent people from tampering/copying/stealing code from the application.

The app is a forecasting application using unique algorithms to simulate future possible scenarios of events. Everything is on the client computer (embedded db - using LLBLGen generated code of course, etc...).

What I don't want to happen is for interested individuals peeking into the code of the algorithms (or making heads or tails of it using reflector and such).

Additionally, I only want people who we contract (license) with to have access to the application on their computers (eg. license like LLBLGen). In other words, I want to make it really hard for crackers to make it available on peer2peer networks and such (not that the demand for such an application is high, just a scenario ).

As you can tell, this is all new to me as I never had to worry about protecting the algorithms and application before as it was used in-house (one person show = stress ).
It is a learning process.

Have you considered using hardware protection like for example HASP dongles?

• make as much classes/methods/properties internal
• obfuscate with a proper obfuscator (which work much better if more and more code is internal/private).

We wrote our own, as the licensing libraries back in 2003 were pretty sucky. Today, xheo for example is pretty solid. So I'd go for one of these.

The thing is: no matter what you do, how hard you make it to crack the app, if it takes them too long to crack, they'll simply use a stolen creditcard and buy a valid license with that and ship that license with the tool. You'll then get a chargeback after a month or so, but they already have a valid license.

Another option you could consider is moving your algorythims to a service that you host. This way, people don't have access to any of your code. You can use the WS-* stuff to secure the service, or you can use WCF type service and secure that.

BOb