Any way to store a password securely in an application

Question

I'm very confident that the answer to this is simply no, but I'd like to cover all my bases.

In the context of .net, is there a way to write an app, not a web app or service, but an app such that it has access to a service without the end user having direct access to the same service?

Or, in more concrete terms, is there any way to store a password, credentials of some form within an app or within an app and file (both of which the user would have access too) that I could confidently state that a user could not use to extract the credentials and gain access to that service in general?

I'm aware that I could make this very difficult, but I am under the impression that given this scenario and set up I can not make retrieval of these credentials and this password more or less impossible. Is there any way this can be done where I can assure interested parties that it would be secure?

Answer 1

The answer is: no, it is impossible to make it so the user can't get the password for your service, but you can take steps to make it hard for them to get the password.

Some simple things you can do

• Store the password encrypted on the users hard drive (that includes inside complied exe and dll files) any only have it stored in a SecureString while in the unencrypted form.
• Use code obfuscators to make it harder to reverse engineer your code (you will need to hide the decryption function from the first suggestion).
• Heir someone experienced in this kind of "defensive coding" as a consultant to look over your program and make it harder to reverse engineer.
• Write a proxy service that is fully under your control and not hosted on any equipment the end user has physical access to that makes the calls to the 3rd party service you want to protect, a end user could see the login for your proxy but could not see the login for what is behind the proxy.

All these things cost effort/money, when designing security measures like this you have to ask your self the simple question "How much will it cost me if one person overcomes the protections I put in place and shares it with the world?".

Once you have that answer you spend up to that much money/effort on securing your product, because if you spend more than that it would have been cheaper to just let the information leak (a sad truth about software development and security)