I have a question about Extensible Storage security.
I've been learning about Extensible Storage and working with some test code, and see that when you define a Schema you can declare the security for it. For example, the most secure settings seem to be:
schemaBuilder.SetVendorId(m_VendorId);
schemaBuilder.SetApplicationGUID(m_ApplicationGUID);
schemaBuilder.SetReadAccessLevel(AccessLevel.Application);
schemaBuilder.SetWriteAccessLevel(AccessLevel.Application);
On the surface, this looks great. By providing only the Vendor ID and Application ID GUID that I know, I can prevent others from reading or overwriting the data I store into a Revit project.
But then what appears to be a hard truth comes crashing in: The VendorId and AddInId values that Revit pays attention to at runtime seem to only come from the clear-text XML add-in file, which anyone can read and anyone can spoof in their own add-in file.
So, for example, if my internal GUID m_ApplicationGUID doesn't match what's in my add-in XML file, I get security errors when I try to create an entity for the schema.
What I want to do is to be able to set, through the API only, my own private ApplicationGUID which only comes from my code, perhaps from an encrypted data file I read.
I'm still examining the SDK sample code and doing searches online (including this forum), but I have yet to see anything which indicates there really is a truly secure way to store data in Extensible Storage.
My question: Am I missing something? Is there some way (that is NOT trivial to spoof) to achieve real security on my extensible storage data? As nearly as I can tell, Autodesk went through some good work to set up secure storage, then blew it by making it trivial to bypass.
Thanks very much for any thoughts or pointers on this.
.