Avoid exposing DB credentials when decompiling .exe

Question

I was just testing a DB connection on a C# project I'm working on. I was wondering if there is any protection to my credentials being exposed to a possible decompiling.

public int connect_DB()
{
    try
    {
        string server = "localhost";
        string db = "myDB";
        string username = "myUsername";
        string password = "passwordDB";

        string constring = $"SERVER={server};DATABASE={db};UID={username};PASSWORD={password};";

        conn = new MySqlConnection(constring);
        conn.Open();

        return 1;
    }
    catch (Exception)
    {
        MessageBox.Show("Please contact to an administrator", "DataBase connection failed", 
            MessageBoxButtons.OK, MessageBoxIcon.Error);
        return 0;
    }
}

This project will be build as a .exe and provided to companies. If someone decompiles the code, the DB credentials will be shown as plain text and that can lead to some obvious problems.

Thanks!

Answer 1

Decompile the build (.exe) in the environment .NET is not difficult. To do this, there are decompilers like dnSpy, JustDecompile and others. To protect your code from decompilation, you need to use an obfuscator. The obfuscator makes your source code difficult to read during decompilation, but at the same time retains its functionality. There are also a huge number of obfuscators, both paid and free. I would recommend using .NET Reactor. But it's also worth remembering that for almost any obfuscator, there are also deobfuscators that decrypt assemblies processed by the obfuscator. For example , to deobfuscate the assembly .NET Reactor there is a NETReactorSlayer project.

As a result, I would advise you:

1. Do not work directly with the database if possible. It is better to deploy a Web API server and implement user authorization and request processing on it.
2. Use an obfuscator for additional protection. I advised above .NET Reactor, but you need to understand the essence of its work. For example, this obfuscator has a useful function "Code Virtualization" which complicates the decompilation of the method. At least NETReactorSlayer fails to decompile methods marked with this attribute.

Answer 2

I was just testing a DB connection on a C# project I'm working on. I was wondering if there is any protection to my credentials being exposed to a possible decompiling.

No, not really. If your program is running on a computer the customer is competent and has administrative access to the program and/or database, he/she will be able to find the password. You can take steps, like obfuscation, to make this more difficult, but that does not provide any guarantees.

But you need to ask yourself who owns the data. If the customer owns the data it is fully natural that he should have access to that data. So using a integrated security, or possibly a customer specific password, is fine. At most the customer will be able to harm himself. You should have some documentation about how the system should be administered, like not deleting the database file if the disk gets full.

If you "own" the data. Then the data should be placed on a server you have full control over. With credentials handed out to each customer. You can use the database authentication mechanisms for this, but it is more common today to build an web API on top of the DB.

In either case, you should probably be using unique credentials for each customer if the data is sensitive in any way.