Is there a way to check with calls into my web-application API came from my distributed client???

Question

Hi,

Is there a way to check with calls into my web-application API came from my distributed client???

That is if I have both a thick client (windows forms client say) and the server side web application that exposes a HTTPS interface (assume user puts username/passwork into the client configuration for authentication), is there a way to ensure the web application interface is ONLY used by my client? That is, prevent uses 'playing the system' and developing their own scripts/apps to use the API (and hence potentially misuse the service).

If I bury an private key into the WinForms client somehow so it can sign the payloads, the implication would be it could be decompiled by a user??? Just be curious to know if it is possible to solve this one....

thanks

Answer 1

You can make it harder to "play the system", but you cannot hide any secrets on your client's computer.

As soon as the code is the "bad guy" has direct access to the program that makes the web service calls, he will be able to disassemble it, or by other means reverse engineer it, to obtain the secret of how to make authenticated calls to the service.