I always thought that once compiled the source file could not be extracted from a C programme. I have since read the sometimes it can be. Is storing passwords this way secure?

int main() {

printf("\[email protected] password: 123123\n\n");

return 0;

}

CodePudding user response：

You can easily see for yourself. After adding #include <stdio.h>, try these commands (assuming you have gcc and standard unix tools like strings):

$ gcc -O3 yourcode.c -o yourcode
$ strings yourcode
[email protected] password: 123123

As you can see, the string literals are not encoded in any way, they are in the application binary as is.

More generally, even if you try to encrypt the password in the binary, if the application itself can decode it, then so can anybody who can run the application. If the "secret" data is encrypted, but encryption key is with the application, then the encryption is just obfuscation, not real security.

Even if you make it impossible to see the "secret" data by examining the binary directly, the snooper can always run the application under debugger, possibly under a virtual machine, and wait for the application to decode the secret information, as it must do to use it.

Security through obscurity is no security has been said by several people in different forms, predating computers.

CodePudding user response：

Thanks for all your replies. I could not open the compiled programme in BBEdit which made me think it maybe couldn't be opened. However it opened easily in Smultron and Text Exit. Not a problem of course as I use encrypted disk images and an encrypted USB drive. "Security through obscurity is no security" - a good quote, which is why I never use hidden folders.