I am working on Point-of-Sale project which is given to our company by a special bank.Bank has provided a DLL which interacts with POS via USB port.I have added that DLL which is written in .NET C# language, So no interoperability problems exists.There is a method inside DLL which is called DebitAndShareTheAmount
.This method has two main parameter P1,P2
.
P1
is the Amount in plaintext and the P2
is the amount which should be subtracted from P1
again in plaintext.So if i call DebitAndShare(1000,10);
//it will actually at bank credit my account with 1000-10=990$ and the shop using my app 10$.
The problem is that anybody with some basic knowledge of C# programming and access to that SHOP's computer can install Visual Studio and use that DLL and call the DebitAndShare method and you know the rest.Actually our app is going to act as service provider and available in special shops around the country , the owners of the shop will be paid by giving service available in our app to customers and take their amount(10$).I am going to have a meeting with POS developers about the security issue i just mentioned.
I have gone through the MCTS book and in security section of book, I find out that if the bank DLL uses PublisherIdentityPermission(SecurityAction.InheritanceDemand, CertFile=@"SomeCert.cer")
attribute before DebitAndShare method and mark this method as Protected then we can have one level of security, is that right? what are your suggestions.I also think if bank can give us the encryption algorithm approach , then it will also suffice.
What you are trying to do is stop your app from being cracked, this is similar to a licensing issue i faced previously, i haven't got any great solutions from the community, but only some good suggestions, the point here is no matter how hard you try, as long as you are executing the code on a machine your user has access to, it is always susceptible, leave alone code obfuscation, even encryption can't protect your app some times from a determined cracker with enough skill, and judging by the profitability of messing with your application, there will be many determined one(the only thing is they need to know that it can be done, and they will find some one with the skill).
I might sound like a pessimist here, but that is the hard truth.
The best approach according to me would be to move the parts of the code that are more likely to be cracked to a central server, and expose those methods as web-services calls. I know even this is not completely secure, remember the recent Apple app store hack. Make sure you have followed all the best practices and hope, you will find a crack in your system before anybody else does
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With