Many times we have heard that security is one of the most important aspects in relation to computer software and systems.
But… do we really know what could happen if we don’t protect our software and how should we do it? 🤔
Basically the source code of any application can be exposed in a simple way, but if we talk about .NET this simplicity of which I speak is amplified.
How easy is it to access our code?
In short, very simple. There are programs called decompilers (which is basically a program that performs the inverse operation of a compiler), that is, take your compiled application, and show its code.
Exposing your code could lead to various problems caused by attackers:
- Modify your applications.
- Steal or copy important code from your applications, such as exclusive functions or private methods of your company.
- Bypass or alter security, license or login systems of your applications.
- Distribute unauthorized copies of your application.
- Access your servers, databases or obtain sensitive information about your users.
And endless possibilities that will make your applications insecure and your customers hesitate to use them.
In this example we will show how simple it is to decompile an application and see its original source code. Yes, the one that the employees of your company, your programming group or perhaps you yourself were developing with so much effort, available to anyone, without knowledge of reverse engineering and exposed with a simple tool.
This is a simple application, which simply requires a password.
We might think that this application compiled in .exe or .dll is safe, but in a few seconds we can get all the code.
In this example we will use DnSpy, a well-known decompiler for .NET applications.
Only by dragging the application to the decompiler could we see the password that is requested, this is just an example, but in the same way we could obtain more compromising functions, connections to databases, passwords etc …
What if we develop open source?
Many times we tend to think that when developing open source applications we do not need to protect the source code since it is publicly exposed to anyone.
And this is true, but not always.
When the code is released, of course we should not protect it, but if we publish open source applications publicly under our name or brand we could have problems.
1. Attackers could easily modify the applications we offer under our brand.
Surely you would not want any attacker to be able to modify your applications and add “illegal” functions, such as some phishing method, or functions to steal sensitive information, and this application spreads over the internet bearing your name or brand.
2. Sensitive information in applications.
That our application is open source, or free, does not mean that it does not contain sensitive information such as connections to databases, storage servers or services such as Azure. If we do not protect this sensitive information, we will make the theft or access to these servers or services easier for attackers.
3. Guarantee security to our users.
Even if we publish free applications or free tools to use, we should always ensure the safety of our users and guarantee a minimum security so that they can enjoy our services without worries.
So how should I do it? 🤔
If we talk about security, we could cover various ways to protect our applications from copyright and legal documents to the use of tools to protect our source code.
In order to start introducing security in your applications for free and easily, we recommend you register with Dotnetsafer and we also provide you with some free tips to start implementing security in your applications in a very short time and without advanced security knowledge.