I'm building a Windows Store application that uses SQLite for data storage. I have found out, that the database is easily accessible through User's local folder (actually all apps have all data publicly exposed). Is there a way to at least weakly protect the database from access?
you need to look at ProtectedData class
http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.dataprotection.dataprotectionprovider.aspx
It exposes easy to use Protect / Unprotect methods that can be used to encrypt / decrypt that at app level. Encrypt data before writing to db and unencrypt before consuming
I also looking for the same solution and found sqlite-crypt at http://sqlite-crypt.com/download.htm
I don't know whether this one good enough or not. There is a trial version that limit passphrase to 6 characters and store it as plain text in the header. It won't be suitable if you want complete data protection. But for testing, maybe it's worth a try. I don't have a chance to test it yet since I still working on the server side of my project. I'll update it when I've test it in the future.
EDIT: Ok. I've test the trial version and it's worked well with modificated version of SqliteWinRT wrapper on codeplex. Note that the trial is limited to 5-6 characters of passphrase and this phasephrase is stored in plain text, plus it's in x86 compiled binary, which means it won't work for actual product which need ARM support. You have to purchase the binary to get the production-ready binaries.
Related
I successfully managed to create a SQLite3 DB with Perl using Perl::DBI module.
I was wondering if there was a way to add encryption to the database to my existing Perl code ?
I read thoroughly the 2 following links :
Password Protect a SQLite DB. Is it possible?
SQLite with encryption/password protection
but the provided examples seem only to include proprietary software or C# code (especially this bit here https://stackoverflow.com/a/24349415/3186538).
Thanks in advance.
Well, you could run your data through any of the Crypt::* modules (::DES, ::Blowfish, ::IDEA, etc, in conjunction with ::CBC), then possibly encode it with base64 to get text, before writing it to the DB. And, of course, reverse the operation when reading. You could even create a Perl::DBICrypt module that sat above Perl::DBI and did this automagically.
However, it depends pretty much on how you're going to use it. If you're just worried about someone stealing and using your data, the encryption would be feasible since, without the key, it would be useless.
On the other hand, if you're trying to protect data in a system you distribute, then the key will be available to the attacker (since, without it, your code won't work). So encrypting in that case would be a minor inconvenience at best.
It's something that could only really work if you kept the key away from the attacker (such as if the Perl code runs in an app server controlled by you).
Basically any solution that decrypts data on a box accessible to an attacker will be vulnerable.
A call to all Win32 developers... I'm developing an application in C using plain Win32. I wanted to ask about Windows development standards regarding these things:
Is there a standard Windows error log api? For example if my client uses my app and it crashes, I would like them to send me the error log and I would prefer this being a standard location so they can maybe access it with a standard Windows log utility.
My app needs to store settings information. I think the registry is the standard utility for this task. Is that right?
My app needs to store and retrieve files that it downloaded from the internet - images, executables etc. Is Application Data/myapp the standard location to store this type of information?
My app needs a very straight-forward database - I'm using CSV for this. I basically need to store and retrieve this type of data so I'm just serializing a .csv file from Application Data/myapp. Is there a better Windows standard way of doing this?
That's all for now :). Thanks!
Is there a standard Windows error log api?
There is the Windows Event Log, but I don't think you want a typical user having to go into it to extract your logged information.
You probably don't want to log by default, unless you're shipping questionable pre-release code. When a user is experiencing problems, then you have them turn logging on. In this case, I recommend placing the file somewhere that typical users have experience with, like My Documents.
By the way, if you're writing a standalone application and want the best possible information in the event of a crash, look into minidumps. Here is a Codeproject sample.
My app needs to store settings information
Yep, registry.
My app needs to store and retrieve files
Yes, App Data. Just be sure to use SHGetFolderPath and CSIDL_APPDATA.
My app needs a very straight-forward database
There's nothing wrong with CSV for simple data. You could store the data in XML and use MSXML to process it, if you prefer. I've used SQlite in the past when I needed fast, lightweight storage of more complicated data.
TiddlyWiki is a great idea, brilliantly implemented. I'm using it as a portable personal "knowledge manager," and these are the prize virtues:
It travels on my USB flash memory stick and runs on any computer, regardless of operating system
No software installation is needed on the computer (TiddlyWiki merely uses the Internet browser)
No Internet connection is needed
In terms of data retrieval functionality, it mimics a relational database (use of tags and internal links)
Set up and configuration are so simple as to be almost zero. This would also mean dependencies are so minimal as to be transparent, or nearly so.
Let's say I've got a million words of prose in 4,000 tiddlers (posts). I'm still testing, but it looks like TiddlyWiki gets very slow.
Is there an app like TiddlyWiki that keeps all the virtues I listed above, and allows more storage? (or rather, retrieval!)
NOTE: Separation of content and presentation would be ideal. It's nifty that TiddlyWiki has everything in a single HTML document, but it's unhelpful in many ways. I don't care if a directory of assorted docs is needed (SQLite, XML?), as long as it's functionally self-contained.
After some time and serious consideration, I will post my own answer.
There is nothing that matches TiddlyWiki.
As for voluminous information, TW can pretty much handle it. (My early discouragements were due to malformed code.) Difficulty accessing information through the interface becomes an issue before any speed problems. This isn't to fault the interface -- it could be more powerful, but that would sacrifice lightness.
Indeed TiddlyWiki can work with VERY large tiddler stores, they don't need to be in the current TiddlyWiki document either.
See "import tiddler" and friends over at http://tiddlytools.com
Before creating Rails, David Heinemeier Hansson wrote a wiki app called Instiki. Like TiddlyWiki, you don't run it from a separately running server*, so it's easy to run locally and move around on a USB drive (exporting the entire content to a zip file with all the html files or all the files in Textile markup). The entire Instiki tgz download is less than 5mb and the app has only one external dependency: Ruby.
So you can run Instiki anywhere you can run Ruby (for instance, on a Nokia N900 phone).
I never built any Instiki sites as large as you describe, but it ought to handle 1 million words in 4,000 pages a lot easier than TiddlyWiki handles 4,000 tiddlers.
Roger_S
* Oh, not to confuse anyone: Instiki uses the embedded webserver WEBrick
You could try installing Portable Apps on your USB drive and adding the XAMPP Package which has Apache, PHP, MySQL all installed and running MediaWiki or other Wiki software on top of it.
http://tiddlyweb.peermore.com/wiki/ maybe exactly what you are looking for.
You can use any TiddlyWiki variant and the data can be delivered via a server and on-demand.
I have recently discovered DokuWikiStick which runs a version of MicroApache. Recommended by LifeHacker... Starting size is about 10MB.
you probably already know this but there's a new version of tiddlywiki out that is still in beta but has been rewritten to allow a more robust environment for the future.
http://tiddlywiki.com/
2020 answer, from 2017
Check out liddly, it's a local tiddlywiki server written in go that fits all your requirements and can run off a USB. It stores tiddlers in a SQLite database, albeit without relational links, making the tiddlywiki interface (presentation) separate from your data(content). It was last updated in 2017 but it still works with the latest tiddlywiki5, you will just have to compile it yourself.
For Windows.Forms, I have an application that needs to get a unique install id for each install from my server, and then persist this data so once registered, the install ID is included on all communications back to the server. The application is in occasional contact with the server.
How can I persist this data on the client in a way that is not easily tampered with?
First, you should note that if the data is on the local file system and your application can read and write it, it will always be possible for a determined user to tamper with it... perhaps not easy, but possible nonetheless.
That said, there are a number of options you could consider, including (but not limited to) :
encrypting the data with a key defined in your assembly : pretty safe is the user has no programming skills, but an advanced user could disassemble your app to find the key. Obfuscation could make it harder to extract the key, but not impossible.
using an isolated storage : I'm not sure whether the data is encrypted or not, but at least it's not easily found, hidden in a deep folder hierarchy... Not so safe is the user knows where to look, however
writing the data in a binary format, which makes it harder to read or modify for a non expert user
using a piece of native code to encrypt the data : similar to the first option, but a native DLL is harder to disassemble than a .NET assembly, so it requires more skills to find the key
Again, all these approches are not bulletproof : as long as your program can access the data, an advanced user could always reverse engineer it and do the same...
You could save the data in the windows registry. You'll use the [HKCU\Software\YourAppName] hive key if it's a per-user setting, or [HKLM\Software\YourCompany] if it's a global setting. However, the data would need to be encrypted, because its trivila to get the values in these keys
I work on relatively sensitive code that we wouldn't want falling into the wrong hands. Up until now, all the code has been keep in house so it hasn't been an issue. I am moving to working from home a day or two a week and we want to secure the code on my laptop.
We have looked at a few alternatives, but Windows EFS and Bitlocker seem to be the most obvious. The laptop doesn't have TPM hardware, and I won't have access to Active Directory from home, so EFS looks to be the option.
Basically, does anyone else have any alternatives, or issues with using EFS to encrypt source code?
Truecrypt:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform...
You should look into TrueCrypt. It's free, open source and supported on a number of platforms.
I would also recommend Truecrypt
The last time I did this was a few years ago, but we used PGPdisk. It did a good job.
You should consider using truecrypt. It would accomplish the same thing, and be a bit less invasive to your system.
TrueCrypt, there's no excuse to use anything different. It's secure and it's free...what more could you want.
+1 for TrueCrypt. We use it at work, it's great.
Tip: it seems that if you have a big codebase and you work with multiple working copies checked out simultaneously, you get much better performance if each working copy is on its own encrypted partition.
You MAY want to encrypt PARTS of the data instead of all of it for speed and simplification issues, however, using a windows encrypted volume would be fairly easy as well. Don't forget that if you must encrypt the entire source, then remember that you're best off encrypting the entire development machine, not just a single volume as temp files or swap files may contain the decrypted information.