vendredi 20 mars 2015

How Secure is my Application?



I have created a little application in .NET that serves as a loader for my other applications.


Essentially, when opened, this app will get a list of available applications, and when an option is selected, it downloads the latest-version of the application in-memory and opens it up.


The application itself is obfuscated (although I doubt that matters) and does the following:



  1. Navigates to a hard-coded HTTP location

  2. Downloads a base-64 encoded string of an AES-256 encrypted message containing the list of available applications, their paths, dependencies, and decryption key.

  3. Once an application is selected, it downloads the encrypted binary file (and any dependencies) listed in the configuration, all in memory

  4. A basic set of simple string-manipulation functions are performed on the decryption key found in the config and a SecureString is generated

  5. This key is then used to AES decrypt, and then load the application (once again, all in memory).

  6. The key is immediately set for disposal


Security Concerns




  • I believe that the main entry point is the application itself. I believe, that although obfuscated, it can be easily analysed anyway.



    • Can you protect against this?




  • Using Fiddler / WireShark or other applications, one can easily determine where the configuration is being read from, and can possibly set up a a response, so for future calls, the app would be fed the same result (without actually retrieving it from the intended location).



    • Is there a way to actually verify that it has been downloaded from the intended destination?




  • The fact that the key to decrypt the binary files can be retrieved by a set of string-manipulation functions, I think can be easily reproduced, if the application is reverse-engineered.



    • Do you suggest an other way of dealing with the application-specific key?




  • How easy / likely is it, to save the state of an application running in memory so that it may be re-used without going through the loader application?




  • What other concerns would you consider?




Additional Info


The application currently checks whether a proxy is currently registered with the system, and tries to retrieve by bypassing the proxy, however to me this sounds like a hack rather than a security feature.





Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)