Thursday, May 8, 2008

Oracle wrap utility...

Oracle's wrap utility helps to hide the application logic from being visible. However, I recently discovered that it doesnt hide string literals.

Hard to grasp though, since my understanding was a bit different. I cant really think of a reason why would they keep strings etc in plain text. Perhaps to force people (like me) not to store their encryption key in a package and wrap it to achieve another level of security...

Here's the standard statement from Oracle about the limitations of wrap utility -

Limitations of the Wrap Utility

String literals, number literals, and names of variables, tables, and columns remain in plain text within the wrapped file. Wrapping a procedure helps to hide the algorithm and prevent reverse-engineering, but it is not a way to hide passwords or table names that you want to be secret.

From :

I wonder if there are any tricks to achieve something like that... my investigations are still on.. will report...

No comments:

Post a Comment