I'm building a system that consists of many clients connecting to a server. The clients automatically push data to the server via a web service call. I've built an authentication mechanism in order for the clients to authenticate with the server so only authenticated clients can upload data. The problem is that I've hardcoded the password into the client code and it is accessible if someone uses a reflector. In this scenario, where I have no user input, what would be the best way to store the static password on the client? Thanks (.Net version on the client is 2.0 and the .net version on the server is 3.5)
I would consider getting a good obfuscator for your code, for one thing. That will prevent (or at least deter) people from using reflector on your assemblies.
However, your authentication system doesn't sound too secure. Even if you did encrypt the password, if the password is always the same, it would be as easy as sniffing packets to figure out what needed to be sent to your server to authenticate. Because it would have to be decrypted before it was sent.
You'd have to go over an SSL at the very least.
Also you might want to look into using Asynchronous Encryption with Signed XML using a Machine Hash if you're installing this in some public client's environment. Something like a Licensing Scheme.
I don't know anything about your architecture or the environment you're running in, so I can't make any recommendation as to what would be the best security implementation, but I can tell you the current setup doesn't sound secure to me.