tags:

views:

14

answers:

1
+1  Q: 

Validate Client Software for Web Services

Hi all,

I'm trying to think of how to validate that a web service is only accessed by an authorised client software.

Now I don't mean that I only want the web service open to authorised users, I only want my web services open to clients that I deem acceptable.

Lets take a use case. I have a web service that I provide, and software that connects to that web service. In this case the service is REST based. I do not want other people creating clients and accessing my web service, and profiting from my service, because this service is a very special set of data that I need to keep secured to approved clients only.

Some incorrect suggestions from elsewhere have been to ensure users have an account. However this only stops unauthorised users, it does not stop someone creating a client and allowing those genuine users to access my web services with someone else's software.

Another suggestion was to include certain identification details, or a client certificate, in the software, but it is too easy for someone to reverse engineer and get these details and then duplicate the requests.

I am not sure that what I want to do is even possible, but I am hoping someone can prove me wrong.

+2  A: 

There's nothing that would completely prevent creation of third-party software, similar to mimic your existing client software, if you give away your software. You can make the task of such "cloner" more complicated by obfuscating parts of your client's binary code or virtualizing those parts (eg. VMProtect tool), but this, as said, makes work harder but not totally impossible. You might want to re-consider your business strategy regarding client software.

Practice shows that if your server-side services are popular, clones will appear no matter what you do. This is simply because you can't satisfy all users with your client software, and if the critical mass of unsatisfied users appears, they will start creation of better client software. And the best you can do in this case is offer a free client-side SDK and a community: these steps will make creation of third-party client software more controllable.

Eugene Mayevski 'EldoS Corp  2010-09-30 10:42:46

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?