Decompiling TD applications. Remove sensitive data from your sources

Discussion forum about all things Gupta, OpenText and the community.
Dave Rabelink
Founder/Site Admin
Founder/Site Admin
Netherlands
Posts: 3421
Joined: 24 Feb 2017, 09:12
Location: Gouda, The Netherlands

Decompiling TD applications. Remove sensitive data from your sources

Post by Dave Rabelink » 23 May 2022, 18:26

A decompiler is a computer program that translates an executable file to a high-level source file which can be recompiled successfully.
It is therefore the opposite of a compiler, which translates a source file in to an executable.
Decompilers are usually unable to perfectly reconstruct the original source code, thus frequently will produce obfuscated code.
Nonetheless, decompilers remain an important tool in the reverse engineering of computer software.
Depending on the development environment it may that decompiling will only reconstruct parts of the original code or will produce code in some other intermediate form.

Decompilers for development platforms like C# .NET or Java have existed since their inception.
It is widely known for those platforms that applications can be easily decompiled. There are many decompilers on the marked as free-ware and as commercial products.

Decompilers are be used for
  • Inspecting the workings of the application without having the original source code
  • Being able to get back (parts) or lost source code where only the executable is available
  • Find out how an application is compiled by the compiler to improve the compiler process itself
  • Get the implementation details of intellectual property
  • Gather sensitive data like passwords, private keys, (custom) cryptography algorithms to be used by malicious people to break application security
  • Audit applications by professional security experts to find possible leaks and report them for product improvements.
Because of the fact that decompilers officially exist in environments like .NET and Java and are widely used, developers using these environments have the mindset that their sourcecode can be inspected by anyone.
Developers know (or at least should know) never to put sensitive data in their sources. Putting passwords and private keys as plain text constants is not done and should be in all cases avoided.
Because developers are human they may forget this rule and put information like passwords or private keys in their sources and release their applications with them.
Any hacker knows this human tendency to make mistakes and will gather the info with easy use of decompilers.

But what about Team Developer applications? What possibilities do hackers have to get such sensitive data from TD build applications?

Well, up to now, the existence of decompilers for TD applications were merely just rumors.
We might have thought that such tools could be available and may be even in use, but then it was not widely known to the TD community.
It was never clear that TD executables could easily be decompiled.

Therefore, the “be aware of decompiling” was never really in the mindset of TD developers. It was always believed that applications could be hacked, but that this would be hard to do and therefore not that probable.

This topic is intended to inform TD developers that their applications can be easily decompiled now.

With tools dedicated for TD applications the complete sourcecode can be reconstructed.
Take any TD executable, run it through such tools and you get back the complete sourcecode.
Names for variables, functions, classes. The complete structure as programmed is reconstructed.
In fact, the resulting decompiled executable can be loaded in TD IDE and can be read just like it was implemented when the executable was compiled. Line by line.

This fact is reality now. The genie is out of the bottle. Your sources are not safe!!

So, TD developers must adopt the mindset just like in other development environments: applications cannot hide their sensitive data and their intellectual property. Sources should not contain sensitive data which can be used to hack or breach security in any way.
Hardcoded passwords, strings containing (private) keys, custom encryption methods etc etc are a high risk of being taken out of your applications with simple means, just by having access to the executable files and decompiler tools.

What does this mean for your sources?

Each TD developer has to be aware of any location in their sources which could contain sensitive data. Developers need to scan for possible locations. And when sources contain sensitive data to remove them or find other secure ways for your application to store/retrieve information which can be used to access databases or websites or FTP locations, for example.
Deployed applications having issues with security must be updated/upgraded with more secure versions.
Some companies, like in banking or healthcare, have official security audits done by professionals to make sure applications are not leaking sensitive information. They can now use TD decompilers to find issues easily now.

What about OpenText Gupta. Can they do something about this?

Well, not really. There is no way to hide sourcecode from decompilers. They could make TD executables harder to decompile, but eventually any solution would be breached and decompilers will be able to work as expected.
We cannot expect OpenText Gupta to release a new TD version which builds a more complex executable to hinder decompilers.
And what about older TD versions already deployed in the World? They cannot be protected in any way.

OpenText is aware and acknowledges the existence of working TD decompilers:
OTCS Ticket 5096734 : TD-26380: [PIE/R] Security concerns due to availability of TD decompiler tool(s).

OpenText has made this official statement on decompilers:
Using a decompiler for TD applications is a breach of the OpenText license agreement:
Except as expressly permitted under Local Law, Licensee will not modify, adapt, translate, reverse engineer, decompile, disassemble, decrypt, port, emulate the functionality, reverse compile, reverse assemble, or otherwise reduce or attempt to discover any source code or underlying structures, ideas, or algorithms of the Software or any confidential information or trade secret
Therefore, as Team Developer SQLWindows Community Forum, we cannot give any direct information where to get TD decompilers.
We will not publish or allow links, names or any other information which could directly or indirectly lead to the location of these tools.


As TD community we can at least inform each other on the existence of those tools and provide each other with tips and tricks to solve possible security issues.
This topic can be used to ask questions on possible solutions to replace in-source sensitive data with secure ones.
Ideas can be discussed and solutions shared.

As can be seen on the internet, there are many solutions for applications to secure data. None of them will give you 100% security but makes it harder for malicious people to get the needed information.
The easiest way for a hacker will be just running executables through a decompiler and can read in plain text any password being put in.

So let every TD developer be aware of this situation!
Regards,
Dave Rabelink

Image
Articles and information on Team Developer Tips & Tricks Wiki
Download samples, documents and resources from TD Sample Vault
Videos on TDWiki YouTube Channel

Return to “General Discussion”

Who is online

Users browsing this forum: [Ccbot] and 0 guests