Py2Exe security

[Terje Johan Abrahamsen]

Hello.

We have created some programs in Python that are to be distributed
around. The programs will be made into .exe files by py2exe. However,
in the source there are certain webadresses, logins and passwords that
the programs use, that we would like to keep away from the end users.
They will use them thru the program, but we would like them not to be
extracted and used separately for other purposes.

Is the compiling by py2exe enough? I have opened all the files in the
directory py2exe has made, and have not found anything I could read in
clear text. However, that does not mean that others can not. Is it
possible to extract these passwords, adresses and logins from the
sourcecode? If py2exe is not enough, is there some other simple tools
we can use to hide the source from the endusers?

Thanks in advance.

 

[ech0]

someone can sniff the client for the information it sends/receives so
its possible to extract the info that way.

 

[Simon Brunning]

We have created some programs in Python that are to be distributed
around. The programs will be made into .exe files by py2exe. However,
in the source there are certain webadresses, logins and passwords that
the programs use, that we would like to keep away from the end users.
They will use them thru the program, but we would like them not to be
extracted and used separately for other purposes.

If your program can access these details, then a suficiently
determined attacker can access them too, regardless of what you do.

 

[Terje Johan Abrahamsen]

If your program can access these details, then a suficiently
determined attacker can access them too, regardless of what you do.

Yes, I assume so. Luckily it is not national secrets we are trying to
hide. But, how does py2exe compare with for example a program written
in a compiled language like C++? Is it easier to find the info in a
py2exe .exe than a c++ compiled c++?

 

[Harry George]

Hello.

We have created some programs in Python that are to be distributed
around. The programs will be made into .exe files by py2exe. However,
in the source there are certain webadresses, logins and passwords that
the programs use, that we would like to keep away from the end users.
They will use them thru the program, but we would like them not to be
extracted and used separately for other purposes.

Is the compiling by py2exe enough? I have opened all the files in the
directory py2exe has made, and have not found anything I could read in
clear text. However, that does not mean that others can not. Is it
possible to extract these passwords, adresses and logins from the
sourcecode? If py2exe is not enough, is there some other simple tools
we can use to hide the source from the endusers?

Thanks in advance.

Putting passwords in your program is a bad idea, with or without
Python and py2exe. Even if you wrote the program in obfuscated C, and
stripped comments etc, an attacker could use "strings" to search for
candidate passwords. Or just start at the beginning of the program
and use each byte as a candidate starting char.


Since you are working on MS Windows, consider getting:
M. Howard, D. LeBlanc, "Writing Secure Code", Microsoft Press, 2002.

 

[Will McGugan]

Yes, I assume so. Luckily it is not national secrets we are trying to
hide. But, how does py2exe compare with for example a program written
in a compiled language like C++? Is it easier to find the info in a
py2exe .exe than a c++ compiled c++?

Its not the exe file you need to be concerned about, its the pyc files
that are created with it. I imagine the strings will be in plain text
form, just like compiled C++.

As others have pointed out, it would be impossible to prevent an
attacker from discovering information inside the app. The best you can
do is obfuscate the strings somehow and 'un-obfuscate' them when the app
runs. That way they at least wont be obvious. Take a look at my
signature for an example!

Will McGugan

 

[andreas]

Yes, I assume so. Luckily it is not national secrets we are trying to
hide. But, how does py2exe compare with for example a program written
in a compiled language like C++? Is it easier to find the info in a
py2exe .exe than a c++ compiled c++?

About the same. C++ programs do have their string constants as cleartext
in the binary too.

Personally I'd be more concerned about the network side (use https and
verify the server certificate), and debugging tools that might be able
to intercept your traffic anyway.

Andreas

 

[mahasamatman]

I suggest You to use base 64 encoded strings
something like
password = 'aGlkZGVuX3Bhc3N3b3Jk\n'
password = pasword.decode("base64")

 

[Grant Edwards]

I suggest You to use base 64 encoded strings
something like
password = 'aGlkZGVuX3Bhc3N3b3Jk\n'
password = pasword.decode("base64")

That will delay the attacker for a few minutes.

 

[Ivan Voras]

That will delay the attacker for a few minutes.

True, but a script kiddie that only knows about the 'strings' program
will be forever baffled

Though deprecated, I think the enigma cipher (rotor) is still present in
python - it could find its use in simple cases like this.

 

[ech0]

Keep in mind what i said, even you encrypt it the source (and decode at
run time), even if compiled via c++,c, etc., it can still be decrypted
if your using http as the protocol, all the person has to do is sniff
the packets. So if your going to encrypt your information make sure you
use a secure protocol (https).

 

[Luciano Rodrigues da Silva]

I think that encrypt with public/private key will be a solution in your
case. I don't know if python has a module to do this kind of encrypt.

 

[Timothy Smith]

i used to work in a place that did this exact same thing. they attempted
to hide passwords in source code.
there is an even bigger problem with this then security of it in source
- if someone comprimises the password, how are you going to change it
quickly? all those systems will have to update their exe.
keep in mind they could get it any other number of ways forcing you to
change it.

it's the same reason it's not a good idea to put static address's in source.