tags:

views:

84

answers:

4
+3  Q: 

How do I prevent non-legit client apps from using my server?

I’m currently writing a pair of client/server applications. I was recently posed with the question of “how do I prevent someone from writing their own client application and using our server?” I really didn’t have an answer to that question because all of the secure communication stuff I have done to date is to ensure the communications between the client and server are encrypted. This would be a departure from that train of thought in that – how do I ensure the client application on the other end is the client application I want to talk to (and not someone pretending to be my client application)?

Anyone have any thoughts on a reasonable way to do this?

+3  A: 

You can't ensure such a thing. The only thing that the server sees is the communication, and if a different client application behaves exactly like your client application, you can't see the difference.

Why is it important that only your own client application can talk to your server? If it's about security, then your security design is wrong. The simple fact is that the client application can never be trusted by the server, not even if it's your own client application.

Tommy Carlier  2009-08-03 11:24:29
A: 

This is difficult to answer without knowing more about what your server does and who the clients are. But there are a couple of options:

  1. Look at the IP of your clients. If the number of clients is small, it should be easy to maintain a list of IPs that are allowed to use your system.
  2. Since you are already using encryption, why not go one step further and work with client certificates?
innaM  2009-08-03 11:27:38
1. IP addresses can be dynamic, can be shared, and still don't ensure that the correct client software is used.2. A non-authorized client application can use the same client certificates. This does not prevent other client applications from using the server.
Tommy Carlier  2009-08-03 11:47:43
A: 

Why? If client environment isn't controlled and some third party client can be installed there, nothing can completely prevent user from tampering with official client, so anything security related should be done at server-side and in this case third party client isn't problem, or environment should be controlled.

If it's requested, frequent protocol changes with auto-updates pushed to client can hinder alternative client development. (exterrogated case: client consist only of bootstrap, downloading application from server. Protocol and corresponding application parts change virus-like with every copy).

License and lawyers can help here too

ymv  2009-08-03 11:31:58
A: 

challenge/response is one way.

Embed a serial number and a key unique to that serial number within your application (client and server). Then, when the client attaches and sends it's serial number, the server will compute a challenge to be sent to the client (using the known key). When the client receives the challenge, it has to respond with the response (which it computes from it's internal key).

KevinDTimm  2009-08-03 11:41:21
Hiding stuff in the client application is not secure. It's really not hard to extract "hidden" data from a client application.
Tommy Carlier  2009-08-03 11:45:02
Define 'really not hard' GSM has used this method for 15+ years. Brute force has been the only success in breaking it so far.
KevinDTimm  2009-08-03 12:05:20
Also, where are these malcontents getting the client app in the first place?
KevinDTimm  2009-08-03 12:06:08
Note too, that this defines PSK-TLS, and it's widely used.
KevinDTimm  2009-08-03 12:06:47
"Security through obscurity" (like used by GSM) is usually not a good kind of security. The encryption mechanism used by GSM (A5/1) was not broken by brute force, but by reverse engineering.
Tommy Carlier  2009-08-03 12:18:33
"Where are these malcontents getting the client app in the first place?"From the same place that legitimate users get them. Client apps are usually public.
Tommy Carlier  2009-08-03 12:19:16
With TLS-PSK, the keys are pre-shared but not "hidden in the client application". This is an entirely different mechanism.
Tommy Carlier  2009-08-03 12:21:06
1 - security through obscurity - correct, but the mechanism wasn't important, they still had to have the keys 2 - yes, I can see that, though it's not how I read it.3 - I said embedded, you assumed hidden (yours and my semantic disagreement). shared is what I mean, though not clear from the response
KevinDTimm  2009-08-03 12:40:14

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security