Possible To Reverse Engineer My App?

maximo

If I use the LGPL license, I am required to dynamically link to the Qt framework DLLs for my application. However, doesn't this mean that someone could download the source code to those framework DLLs, add what I'd call "sniffer code" inside, recompile, replace my Qt framework DLLs with these hacked ones, and start sniffing parts of my code to find unencrypted things like server URLs, passwords, hash salts, and perhaps even sections of my source code?

SysTech

Yes perhaps.

It would take a lot of work to do such a thing but then again there are quite a few people in this world with far too much time on their hands and that have nothing better to do.

I think the deal is this:

If your app accesses some public server you plan to put up then you should have a very good, rotating encryption scheme so that even if someone does put in the work to do as you say they only get something that is good perhaps for a very short time.

Even if you purchase a commercial license and statically bind everything a network sniffer could give some one similar information if they figured out what you were doing. Again the only combat against this I know of is to be proactive in your protective measures. That means something that rotates encryption and protection on a regular basis.

As far as reverse engineering to your source without a doubt some of that is possible. I wrote a "decompiler" many years ago for fun but such a thing really can't recreate your exact code. Just by looking at instructions one can slowly gain an idea of what you are doing but in the end that is a lot of work.

Again it comes back to how valuable what you are doing is. If your program will sell a BaZillion copies at $1000 a copy then sure you probably want to spend a fair amount of time to protect it. If your program will sell for $25,000 then you can bet someone will not want to pay that price and will hack at it.

I think the attraction to hacking depends upon the utility of the program. For example everyone in the world that is a machine geek is probably interested in a free copy of Solidworks, the 3D giant. So yes they get hacked all the time. On the other hand I wrote a simple meeting manager which had an audience of about 500 companies. To my knowledge it was never hacked as it was just not worth it. I also set the price point where it was cheaper to buy it than to risk a hacked version.

Many of the things you ask about are possible and really you as the author are the only one that can decide how important they are to you.

alex_malyu

Just adding to above post.

Linking to known Qt dll does not make hacking anyhow simpler or harder.

jsulm

"find unencrypted things like server URLs, passwords, hash salts" - to do this there is no need to replace any DLLs, just open the app binary in a hex editor and look for strings. And anybody can use a network sniffer like Wireshark to see which server your app is contacting and if you do not use encryption even log the whole communication.

maximo

Thank you all for these answers. From what I can tell, yes it would be difficult, although it would hardly do anything more than show to the sophisticated, patient, dedicated hacker what I'm conceptually doing, just not having the source code. As for hash salts, passwords, URLs, etc. -- yeah, encryption is necessary, but even then one can hook a function to see the unencrypted version that eventually gets processed such as on an HTTP connection. And yes, Wireshark can also detect these things too.

SysTech

@maximo:

Are you writing the server as well? If so then you still have the option with rotating security to make things pretty hard to hack but it takes some work.

Obviously if you are connecting to a public server you don't control then sure Wireshark or other network sniffer can help someone to find that login/password.

As far as storing these things in your code you can salt them when you store then and unsalt just prior to send. So perhaps you have something like:

 QString pw = "#U$(#L@L4JhDK";

This would not be what you send, you'd desalt, decrypt it using using whatever your salt/crypto routine is just before blasting it out. This way a hex editor still makes it difficult to find things.

In my 30+ years of doing software the BEST protection routines in my humble opinion are:

1. Price things so security is not much of a problem. IE make it easy to buy then it is less likely someone will spend hundreds of hours hacking it. That may still happen though just for the fun of it but when a real licensed copy can be had for far less money than the individual will put in they are likely to move on to hacking bigger and more expensive things.

2. Rotating security. If you control both the app and server then use a matrix plus date/time to rotate your security. So on some day the password might be abc1234 but 2 hours later it is 92ygii. etc. The period you choose is up to you and the algorithm also is up to you. Yes in a wireshark capture they will see login with 92ygii and it will work for them for some period of time, then stop.

3. Secure sockets. Make the initial connection and perhaps login over standard TCPIP then exchange a rotating key and go secure. IE reconnect over a secure socket bound to the exchanged key. Wireshark can still get the login and perhaps the key but then they have to exchange the key correctly and suddenly the connection drops and a new connection using that key would have to be created. Kind of a lot of work and since the logins/keys rotate it becomes extra hard to write a hack that works. But again for this you would need to control the server too.

I am currently doing a biomed app using similar schemes to the above. In our recent FDA audit the HIPPA gal who is so ever concerned about personal info leaking out took one look at my graphic explaining the scheme, closed her notebook and said, that is just fine and she moved on to the next phase of the audit.

I have zero doubt that the above schemes can be figured out and hacked but it would change often enough that unless they figure out the rotation scheme then whatever they figure out suddenly stops working in the next period.

One of my co-workers likes the idea so much he is playing with rotating the rotation scheme itself. So even if they can hack and figure out say 3 passwords in a row the whole scheme for the 4th might totally change. I think it is overkill but he has a little time to burn right now.

Good luck with your app!

timday

There's an interesting post on the Qt Blog which makes a case for how some things about licensed Qt make reverse engineering and hacking more difficult: https://blog.qt.io/blog/2015/02/17/qt-weekly-26-protecting-your-application-against-hacking/ Some of the arguments are more convincing than others.

I'd be curious to know of any evidence - even anecdotal - of this stuff actually going on. Security and hacking and infosec is a serious business for sure, as is crackability of $100s-$1000s/seat licenses, but for most of us the idea that some team somewhere is waiting to pounce on my FooBar App, rip it's QML and plugins off and put out their own SuperFuBahPlus App is fairly incredible... isn't it????