App.Config Security in WPF

I am creating a WPF project, and deploying it using ClickOnce. Since the .xbap file is downloaded to the client, and run it from the client machine the client can edit the file and do anyting they wants. That is, if the App.Config file of my WPF appliaction is downloaded along with the .xbap file, and I use some settings to control the behaviour of the application, or use some info like my service detauls, and the user goes to the downloaded location and edits those details they can do anything with it. I have tested this, and this can be done. I have singed my assebmly and manifest with a .pfx certiciate

Since I have signed my assemsbly/manifest, if I perform the same action in the server, the application shows an HashVerification error. Why doesnt this happen in the client side. I think, this is far more important to work in client side then on the server side.

What 开发者_运维知识库is the work around to stop users? This could be a serious security issue for many apps. I think this can also be done with Silverlight apps, as it behaves same (not sure if I can paste my modified .xap file to Temporary Internet Folder).

Thanks

Never trust a client.

Whatever you are trying to prevent, expect the user to be an administrator and ready to hack your application.

If you have something to hide (password, connectionstring, ...) do not pass it to the client, keep it on the server.

What is the purpose of settings that cannot be changed by the user?

If you want these values to be constant in the deployed code, then I would consider making them constants or resources.