stackoom
  简体   繁体   中英

Security concerns in a WPF application

 原文  2012-03-06 15:39:11       c#/ wpf

Question

I am making a WPF application which will handle a lot of sensitive data like usernames, passwords, emails etc. All this data is shown in textboxes and passwordboxes in the app. When the application closes I need all the data that was in memory to be deleted just so no one can later retrieve it.

Can you tell me some guidelines or tips on what I need to pay attention to, or techniques I can use to make this project as secure as possible?

Thank you

3 answers

solution1
 3  2012-03-06 15:48:58

The data won't remain in memory after the program execution has ended, but in theory it could be read while the program is running. You could try using SecureString s: http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

Also, the PasswordBox control already uses SecureString , so you're good on that part.

solution2
 1  2013-09-05 16:33:13

I think you're worrying about something that's not worth worrying about.

If someone has physical access to the machine and wants to steal sensitive information, you've already lost the game.

While the usernames and passwords may not currently be in memory, the person could just install a keylogger and get it next time the application is run.

solution3
 0  2013-09-05 16:02:17

.Net strings are immutable and interned. Immutability renders strings unchangeable after it was created. Interning makes the CLR use one instance of a string with same content. It also makes it harder to get rid of a string.

From MSDN

.. the memory allocated for interned String objects is not likely be released until the common language runtime (CLR) terminates. The reason is that the CLR's reference to the interned String object can persist after your application, or even your application domain, terminates.

You could use SecureString but it is not very convenient as not many WPF controls support it apart from PasswordBox.

For example there are times when you have to show the user the password, but without converting the SecureString back into a normal string this is not possible. This brings back the problems we set out to mitigate.

So in my opinion WPF/C# would not be a good candidate language framework for an application with sensitive data.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Security concerns for writing to application directory under Program Files ValidateCredentials() - Security Concerns .net WPF application folder security WPF DataGrid performance concerns Security Concerns with REST Full WebServices Moving Security Concerns to Data Access Layer C# - Security concerns with InternalsVisibleTo attribute Capture Website Thumbnail without Security Concerns Configuration vs. static properties, security concerns How to run wpf(c#) application by service account and integrated security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM