I have a question that I can't seem to find the answer to so I'll try here at stackoverflow.
I see when people is programming in different languages (eg. Java, C#, etc.) they type db info directly in the source.
I have allways used an api (in my case, php backend), because I don't trust the end-user.
Wouldn't anyone with the correct skills be able to reverse enginer the executable file and read the source? I know you can obfuscate your code, but is this secure enough?
A good example: Someone who creates a application in C#, containing a db connection. They use .NET reactor to obfuscate the file. I know there exists deobfuscators for .NET reactor obfuscated files. So.. ? Should we allways use some sort of api because we only trust our own server with db info?
If you let me download a program, you should assume that I can reverse-engineer what exactly the program does. Various kinds of obfuscation and encryption can make this harder, but they will never make it impossible.
So, if you put your DB information into your application, you should assume that a malicious user will be able to access the database with the credentials from the application. If that is not okay (it might be, for example if the credentials give read-only access), then don't do it.
Having some kind of intermediary server with an API that sits between the application and the database is a reasonable approach. But it doesn't completely solve the issue by itself: now you should assume that the malicious user can access the API and you have to make sure that that is okay.
A similar solution is to move not just the DB code to server you control, but move (almost) all your code there and make your application into a web site.
Yet another solution might be to distribute the application only to users you trust (e.g. employees of your company).