> On Jan 8, 2015, at 7:46 PM, Jsparrow <[email protected]> wrote: > > If I create a C# windows application and hardcode the decryption key in a > string variable (so that my app can access the contents of the db) and > compile the application into an .exe file, can someone really find out the > key just by using the .exe file?
Sure. It's not even stored in the code; it's in a different section of the binary where constant data goes. (I've never coded for Windows so I don't know the format of their binaries, but all executable formats work this way.) Finding an AES encryption key would be harder than finding, say, a password, because a raw key is just 32 random bytes with no detectable pattern, but you can still decompile or step through the code as the app runs, for example looking for OS calls that do decryption and checking what parameters are passed to them. This kind of thing happens all the time. It's how people break DRM, crack copy-protected software, create cheats for online games, jailbreak phones. There are people who are very good at this and see it as a challenge — they'll crack stuff even if they don't personally care about it, just to show off. > If they can find the key like that, does that mean that all of my C# code is > available to them aswell? I don't know as much about C#, but compiled Java code is easily decompiled. The output looks almost exactly like the original source code except that some names are lost (local variables, I think) and of course there aren't any comments. > I just want to encrypt the email credentials in case I ever lose the usb > drive. Just encrypt the filesystem on the drive, if Windows supports that. —Jens -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/44197A25-9FF0-4BDB-A285-19E4C7C88A3C%40couchbase.com. For more options, visit https://groups.google.com/d/optout.
