Secure Application Delivery

Posts   
 
    
Posts: 3
Joined: 09-Jul-2007
# Posted on: 14-Jul-2007 19:27:10   

Can anyone recommend resources (articles, books, etc...) on delivering secure applications? The deliverable is a desktop application (.net code). The objective is to make the product really hard to crack (of course 100% is not possible).

Any tips on your own personal experiences would be very helpful. smile

Thanks in advance,

Gabe

mikeg22
User
Posts: 411
Joined: 30-Jun-2005
# Posted on: 14-Jul-2007 20:26:33   

phantommig21 wrote:

Can anyone recommend resources (articles, books, etc...) on delivering secure applications? The deliverable is a desktop application (.net code). The objective is to make the product really hard to crack (of course 100% is not possible).

Any tips on your own personal experiences would be very helpful. smile

Thanks in advance,

Gabe

What do you mean by secure? What scenarios do you envision it being "cracked?"

Posts: 3
Joined: 09-Jul-2007
# Posted on: 14-Jul-2007 21:22:21   

mikeg22 wrote:

What do you mean by secure? What scenarios do you envision it being "cracked?"

Just looking for info on ways to prevent people from tampering/copying/stealing code from the application.

The app is a forecasting application using unique algorithms to simulate future possible scenarios of events. Everything is on the client computer (embedded db - using LLBLGen generated code of course, etc...).

What I don't want to happen is for interested individuals peeking into the code of the algorithms (or making heads or tails of it using reflector and such).

Additionally, I only want people who we contract (license) with to have access to the application on their computers (eg. license like LLBLGen). In other words, I want to make it really hard for crackers to make it available on peer2peer networks and such (not that the demand for such an application is high, just a scenario simple_smile ).

As you can tell, this is all new to me as I never had to worry about protecting the algorithms and application before as it was used in-house (one person show = stress frowning ).
It is a learning process. flushed

stefcl
User
Posts: 210
Joined: 23-Jun-2007
# Posted on: 14-Jul-2007 22:51:09   

Have you considered using hardware protection like for example HASP dongles?

Otis avatar
Otis
LLBLGen Pro Team
Posts: 39588
Joined: 17-Aug-2003
# Posted on: 15-Jul-2007 12:40:47   
  • make as much classes/methods/properties internal
  • obfuscate with a proper obfuscator (which work much better if more and more code is internal/private).

We wrote our own, as the licensing libraries back in 2003 were pretty sucky. Today, xheo for example is pretty solid. So I'd go for one of these.

The thing is: no matter what you do, how hard you make it to crack the app, if it takes them too long to crack, they'll simply use a stolen creditcard and buy a valid license with that and ship that license with the tool. You'll then get a chargeback after a month or so, but they already have a valid license.

Frans Bouma | Lead developer LLBLGen Pro
PilotBob
User
Posts: 105
Joined: 29-Jul-2005
# Posted on: 16-Jul-2007 17:54:54   

Another option you could consider is moving your algorythims to a service that you host. This way, people don't have access to any of your code. You can use the WS-* stuff to secure the service, or you can use WCF type service and secure that.

BOb