Question Protect ACCDE

M

mcdhappy80

Registered User.
Local time
Today, 23:10
Joined
Jun 22, 2009
Messages
347
I have a security system in my application that depends on one custom property in which I store licence which my application uses in order to work.
I've just found out that I can open this property (from another access database, even when the database containing the property is in an accde format) and change it!
My question is can this somehow be prevented?
Will I make things better if I move property from database to registry key file?
Any ideas on this subject (make the accde completely unusable for abuse) would be appreciated?
Thank You
 
Did you manage to get the property because you knew the property name? How would a person know about the property in the first place in order to extract it.
 
DCrake said:
Did you manage to get the property because you knew the property name? How would a person know about the property in the first place in order to extract it.
Click to expand...
Yes, of course I knew the name, but that's not the way I could find it. I could find it by creating a loop trough db properties and it displayed itself there.
Even if a person don't know the name he can loop trough the properties and find it via elimination process (I suppose he can read about the default db properties on internet and the one that doesn't match on the list would be mine custom).
So I guess the properties are not safe for storing info after all?
Any other ideas?
 
mcdhappy80 said:
So I guess the properties are not safe for storing info after all?
Any other ideas?
Click to expand...

They are safe for 99% of the people out there. If you want to get it to 100% then you are using the wrong tool. Access is not secure and if someone wants to hack your stuff, they will figure it out.

But, just to make it slightly more difficult for them, I would

1. Not store the value in the property in plain text form. I would use an encryption method to encrypt the data and store it there. Then, someone would have to know how you encrypted it.

2. The encryption code can be included in your modules which can be compiled so that it is not readily available.

3. The property name should not be something that makes sense from a person reading it. If you want to store your registration key there, you could call it something like FormActivate. Which then if you include a few other properties with some bogus encrypted data, will make it even harder for them to figure it out.

The main thing to note here is this. Even Microsoft gets their software hacked and keys generated. So, you aren't any more special. Except, that you have one thing going for you. You are not passing this out to a large user base (I'm guessing) and if you encrypt the data, then you don't have to worry about 99% of the population. And if you don't encrypt it, you probably don't have to worry about 90% of the population.
 
boblarson said:
They are safe for 99% of the people out there. If you want to get it to 100% then you are using the wrong tool. Access is not secure and if someone wants to hack your stuff, they will figure it out.
Click to expand...
Which is more secure development environment than access?
boblarson said:
But, just to make it slightly more difficult for them, I would

1. Not store the value in the property in plain text form. I would use an encryption method to encrypt the data and store it there. Then, someone would have to know how you encrypted it.
Click to expand...
I was using some code example that does some encrypting on text string by rotating the characters in it, but I had problems with it, because when I generated encrypted licence on my machine, it decrypts it wrong on the user machine. Maybe because the different version of Windows?
Do You have some reading to guide me to create encrypted licence in access VBA?

boblarson said:
3. The property name should not be something that makes sense from a person reading it. If you want to store your registration key there, you could call it something like FormActivate. Which then if you include a few other properties with some bogus encrypted data, will make it even harder for them to figure it out.
Click to expand...
Hm, didn't cross my mind, thnx :)

boblarson said:
The main thing to note here is this. Even Microsoft gets their software hacked and keys generated. So, you aren't any more special. Except, that you have one thing going for you. You are not passing this out to a large user base (I'm guessing) and if you encrypt the data, then you don't have to worry about 99% of the population. And if you don't encrypt it, you probably don't have to worry about 90% of the population.
Click to expand...
I have to agree with You on this, but it is my job to do everything I can to do things right. (hope You agree with me on this? ;) )

Thank You guys for Your answers.
Cheers!
 
mcdhappy80 said:
Which is more secure development environment than access?
Click to expand...
VB.NET, C#.NET, etc.
I was using some code example that does some encrypting on text string by rotating the characters in it, but I had problems with it, because when I generated encrypted licence on my machine, it decrypts it wrong on the user machine. Maybe because the different version of Windows?
Do You have some reading to guide me to create encrypted licence in access VBA?
Click to expand...
No need to get all fancy with encryption. You can use this simple function to encrypt it because, as I said, you are not going to stop people if they are persistent enough. But this will do for 95% of the people out there. See the sample database I threw together in a few minutes to give you an example. You could run the reg info through the encryption part and store it in the property like you are. Then when you need to check it, you run it back through the decrypt function.
 

Attachments

boblarson said:
VB.NET, C#.NET, etc.
Click to expand...

Actually, I'd say they are actually more insecure than Access' *DE files. Because they compile into bytecode, it's very easy to dissemble and obtain source code. That's why they distribute obfuscater.

C++ would be marginally better but there's also decompiler for machine code so it's not that hard to obtain the keys or other important details. *DE files, being relatively obscure and undocumented (in the sense we don't know anything about its symbols) is more likely to be far more difficult to reverse engineer.

If one really, really want a secure environment, a web application _may_ be the best bet since they have no direct control over the server but there's holes that needs to be plugged.

At the end of day, it has to be remembered that security can't be solved by technology all times. Sometime it's actually a human resources issue.
 
You must log in or register to reply here.

Similar threads

B
Splitting database
Replies
10
Views
238
The_Doc_Man
The_Doc_Man
E
Emmanuel Katto Dubai : Question About Running ACCDE Database in ACCDR (Access Runtime)
Replies
6
Views
458
Cotswold
Cotswold
H
How to run accde database into accdr (Microsoft Access Runtime Application)
Replies
4
Views
519
Hamatto
H
J
Unable to Create the accde file
Replies
11
Views
306
isladogs
isladogs
S
Access table protection from connections and DBreplications
Replies
13
Views
343
isladogs
isladogs

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom