Hi guys,

We have some sensitive information in a Visual C#.NET app (an app that needs to be distributed to end-users). Examples of this information would be a connection string for a MySQL database on our servers, and encryption keys that the program uses to decrypt some datafiles.

When the program is compiled, even using something as simple as .NET Reflector to "decompile" it exposes all this information. Well, it obviously exposes EVERYTHING in the source code, but that's .NET for you. Problem remains, they can see the username/password for the MySQL database, the key to decrypt the license files, hell - even the method that performs the decryption.

Obfuscation won't work in this case, because no matter how unreadable you make the source code, those strings are easy to identify.

Anyone have any ideas?

Arrange to distribute the sensitive information by another channel to known individuals at each client site.

That's unfortunately not an option, since most of the targeted end-users (it's a commercial product) wouldn't know what an encryption key or db connection string even is.

Consider it an opportunity to sell some training then.

I rather see this as an opportunity to find out how other people protect certain pieces of information inside their source code :P