I am creating a WPF project, and deploying it using ClickOnce. Since the .xbap file is downloaded to the client, and run it from the client machine the client can edit the file and do anyting they wants. That is, if the App.Config file of my WPF appliaction is downloaded along with the .xbap file, and I use some settings to control the behaviour of the application, or use some info like my service detauls, and the user goes to the downloaded location and edits those details they can do anything with it. I have tested this, and this can be done. I have singed my assebmly and manifest with a .pfx certiciate

Since I have signed my assemsbly/manifest, if I perform the same action in the server, the application shows an HashVerification error. Why doesnt this happen in the client side. I think, this is far more important to work in client side then on the server side.

What is the work around to stop users? This could be a serious security issue for many apps. I think this can also be done with Silverlight apps, as it behaves same (not sure if I can paste my modified .xap file to Temporary Internet Folder).

Thanks