Need to hard-code a password

Question

I am doing this application and it depends on settings that are stored in an xml file. This file should be encrypted and the values inside it are provided by the guy responsible for creating the application setup and is used to determine available functionality options depending on the version the user installed.

I need a way to store the password hard-coded in my software to be able to decrypt that file at runtime and read the values in it to see which features of the app the user has access to.

Bear in mind that this file should not be edited and is provided as part of the software.

I haven't provided any code, because its more of a design issue than a coding issue.

I know that hard-coding a password is stupid yet I am out of options.

Answer 1

If you're giving the application to untrustworthy users (i.e. this is a desktop app, rather than code running on an [ASP] server that users can't access directly) then there's nothing that you can do.

If you are giving the code to the user that will decrypt a configuration file, at some point, they will be able to access that file themselves. You could make it harder, possibly even a lot harder if you put in the time/effort/money, but you can't make it impossible. Here are some things that they could do:

1. Decompile your program and look for the password = "12345" line of code.
2. Monitor the program's memory; see when it loads the XML file, and try to find the decrypted version of it in memory.
3. Find the section of code where you read the decrypted XML file and do some action accordingly and change the code so that it always does whatever they want regardless of what's in the file (essentially just commenting out the if check).

Some things you can do to make the above steps harder (but not impossible) include:

1. Obfuscating your code.
2. Signing your code.
3. Doing random pointless stuff to try to confuse would be code sniffers (for example play shell games by having 3 files, reading them all, decrypting them all, and then having 2 of them not actually be used.
4. Send the config file to a web service of yours to be decrypted, rather than decrypting it locally. (This can be defeated by sniffing the network for the decrypted result).
5. Have a web service that you query to see if the user has permissions to do what you want (again, this can be defeated by sniffing/spoofing the network connection).

Now, it might be possible to actually prevent the user from doing "something", depending on what the "something" is, by not giving them the code that does it in the first place. These would be (potentially; if coded correctly) unbreakable:

1. Do the work on a server.
   
   1. Have a web service that does some of the sensitive work. The desktop app only manages the UI or other non-sensitive tasks. If you do this the user can only break the code you've given them.
   2. Make the whole app a website, or other server based application (i.e. think of MMORPGS) where it simply doesn't function at all without a server; it does almost all of the sensitive (and non-sensitive) work.

Note that the only true solutions require an internet connection being available for all users when using the application; they can't be offline.