Security issue with compiled application



  • I've just find a problem that worries me too much. Create a simple application and for example declare a QString variable like below:
    @QString test = "hello";@
    now compile the application and open the compiled file with a text editor (such as notepad). you can simply find "hello" visible.
    I use MinGW as my compiler. i wonder if there is a way to fix the problem or any ideas?



  • note that this is about all variables and const strings. It allows hackers to see every transactions such as SQL commands and etc. Please help


  • Moderators

    That is normal. Typically all text can be found directly as plain text in your executable. At least simple ASCII text. If you use other character sets as Cyrillic, I would assume that it is the same.
    So, it is not a good idea to have passwords for estalishing connections stored in strings in your source especially when you some text around indicating that this a password.

    If you are seeing problems that someone may read the sequence of commands used, you may call the commands indirectly through a table where the commands are stored simply alphabetically.

    If you consider the knowledge of used commands as a security problem, you could do some encryption for instance. However, this becomes a bit cumbersome for larger sections.

    I am wondering if there are simpler ways to hide details.



  • but some compilers encrypt strings on release. there must be a way for this problem. it`s not ideal oftenly encrypt and decrypt my data. impossible!


  • Moderators

    [quote author="mohsen" date="1319914934"]but some compilers encrypt strings on release. there must be a way for this problem. it`s not ideal oftenly encrypt and decrypt my data. impossible![/quote]
    You are right en- and decrypting is not really a solution.
    I have checked some executables compiled with a microsoft compiler. You can find the text string in the exe as well. However, this is only text to be displayed to user anyhow. So, it is not really an issue.



  • what about vb6 compiler? it is fully encrypted


  • Moderators

    I never bothered about this problem. Therefore, I may be completely wrong on this issue. With C and C++ it was always this way as far as I remember.
    vb compiler I did not use, yet. However, Basic was an interpreter only language at its start. There you had the whole program logic in plain text as well. The compilation "hides" the program logic, maybe also the text strings are stored in more compacted way.



  • Even if your strings were encrypted, the used key is most probably stored within your binary. So it wouldn't be an encryption, but rather some obfuscation.

    Don't spend time on such things. Any kind of encryption in this area would be more or less weak and anyone wanting to inspect your binary will be able to extract the strings.

    And yes, this is C (and therefore C++) behavior for ages. Unix systems even have a tool to extract the strings from any bunch of binary data (look up the man page for the "strings" command).

    If your really do bother about those security constraints, then put the logic on a secured server and only have authenticated clients talk to that. But be aware, that this could be spoofed too.



  • [quote author="mohsen" date="1319917659"]what about vb6 compiler? it is fully encrypted[/quote]

    Are you sure? AFAIK, VB works with BSTRs which means they use 2 byte strings. You can read them.



  • @Gerolf: I tested a simple app in vb6. i didn't find my string content. with GCC even label texts, lists and everything is fully visible!



  • [quote author="Volker" date="1319922669"]Even if your strings were encrypted, the used key is most probably stored within your binary. So it wouldn't be an encryption, but rather some obfuscation.

    Don't spend time on such things. Any kind of encryption in this area would be more or less weak and anyone wanting to inspect your binary will be able to extract the strings.

    And yes, this is C (and therefore C++) behavior for ages. Unix systems even have a tool to extract the strings from any bunch of binary data (look up the man page for the "strings" command).

    If your really do bother about those security constraints, then put the logic on a secured server and only have authenticated clients talk to that. But be aware, that this could be spoofed too.[/quote]

    accidentally i'm working on a client server application. my server app acts like a bridge for sql data and operations. but in anyway client app must send its request together with license number to server otherwise server denies the request. So both license number and sql commands would be stolen easily. even user can understand the structure of database. I should find a way. "dirty code" is a choice!



  • So... why do you hardcode such things in a binary then? The licence key has no business being in the application at all. And as for the communication: that is something to worry about. Read up about setting up secure communication. Worrying about your user-visible strings being visible in the source of the application is the least of your worries.

    Volkers' remark is very much to the point though: you can never, ever completely be secure against attacks from people who you give both the key and the encrypted data. And your users will always need both, otherwise your application will not run at all. This is also the reason why DRM on things like games and DVD & Bluray is fundamentally flawed. A determined person will always be able to find a way to leverage the fact that the key is there somewhere. You need to accept that your application is not going to be secure against people inspecting it. So don't depend on that for the security of your entire setup.

    Note that the fact that you didn't find the strings in a VB compiled application, doesn't mean that they are not there and easy to find for someone who knows what to look for.



  • i see pc application can be deassembed easily. ok i`ll go for license security atlest.
    network communications security is already solved by ssl.
    thanks all for informations.



  • [quote author="mohsen" date="1319973211"]@Gerolf: I tested a simple app in vb6. i didn't find my string content. with GCC even label texts, lists and everything is fully visible![/quote]

    Hi, just as a side note:

    I created a small VB program with a label and some text in the code, opened the executable in notepad++ and found it within 10 seconds. It's not encrypted.

    Text in resources is stored as ASCII string and text in source code as UTF16 string, which means, notepad++ shows:
    H<nul>a<nul>l<nul>...


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.