0

I am developing a web application that runs on Google App Engine. It has some HTTP GET methods to request data. I do not want any random web request to be able to receive data from the server. Only my web app (i.e., requests originating from my website) plus any mobile or desktop clients I develop should be able to request data from the server. How is this done? Note I am not talking about username/password authorization here. I am asking how to make sure that the client app who is making the request is authorized. Otherwise, anyone can make their client (e.g., a C# console app) and start using my data. I think the question is similar to this one: How to authenticate client application for trust of messages sent from it

Community
  • 1
  • 1
morpheus
  • 18,676
  • 24
  • 96
  • 159

3 Answers3

0

Short answer is, you can't.

https://security.stackexchange.com/questions/826/how-can-i-securely-authenticate-the-client-application-sending-me-data

Long answer is, you can make it difficult for hackers. Usually this works by embedding a key in the application, obfuscating it, and obfuscating the code for getting the key. This doesn't make it impossible for someone to find the key, just harder.

One of the stronger consumer systems out there is Microsoft's Silverlight DRM, you might want to investigate how that work: http://www.iis.net/learn/media/iis-media-services/content-protection-in-silverlight

Community
  • 1
  • 1
dragonx
  • 14,963
  • 27
  • 44
0

You can use 3scale. It provides authorization , stats, control of the requests made to your GAE application

https://code.google.com/p/appspotimage/wiki/APICreationArticle

Omair Shamshir
  • 2,126
  • 13
  • 23
  • If I am not wrong 3scale will provide a key, but it can be seen by anyone in the request headers, and can be stolen. Is this correct? This is similar to a key that is needed to use Google Maps API. The purpose of such a key is mostly tracking and instrumentation. Granted, it provides a level of security rather than requiring no key at all. – morpheus Aug 21 '13 at 16:46
0

Encrypt the request via your client. Decrypt at the server level. If decryption is successful and the request is well-formed, its authorized.

Otherwise, its an unauthorized client.

The catch?

Someone will be able to make an unauthorized client after they solve your method of encryption. This would most likely be after decompiling your program and trudging through obfuscated code, making it harder/time consuming, but it is still possible.

Zerkz
  • 686
  • 1
  • 6
  • 25