i've just read a few posts on hiding Silverlight code in some way. Main conclusion was that you can obfuscate it, but you can't realy hide it, so secure things must be done at the server. But then, anyone can see via Fiddler what kind of data is posted to a particular webservice. For instance, they can see that i'm calling UpdateCustomer.asmx. And if they do, what can i do to stop them from calling that asmx too? Is there a way to allow only 'my silverlight app' to call that method?
+1
A:
Nope. Someone can always reverse engineer your Silverlight application to steal whatever authentication credential you use. You can make this reverse engineering process more tedious than it would be otherwise, but you can't make it impossible.
Why is it a problem if someone accesses your URL from a custom client? You're authenticating the user, right?
Scott Wolchok
2010-03-07 03:32:57
No, in this case the user isn't authenticated.
Michel
2010-03-07 19:03:54
A:
I suppose if you wanted to be really paranoid, you could marshal all calls from your client application through one web service endpoint and encrypt the payload...something like:
- Client application hits endpoint "givemeatoken.asmx"
- Server generates some key token
- Client encrypts all calls using said token, passing them to single endpoint "onlyservice.asmx"
- Server decrypts payload of calls using token, and routes calls to "real" web services.
- Server retrieves results of call, re-encrypts using token, and passes back to client
- Client decrypts results and does what it needs to do.
But that's just crazy talk....and kind of pointless, since you could reverse engineer the Silverlight code itself to figure out what the "real" services would be. If you really want to secure your app, use authentication; both on the client side and the server side (i.e., calls to the services require an authentication ticket of some sort)
JerKimball
2010-03-08 15:24:34