2

I am writing a Java application which will communicate with a remote server to send and receive files (users will have to login first). The source code will be open for public review.

To ensure a conflict-free user experience, the server should only accepts connections from clients which do not run an altered version of the original program.

How can I check that the binary files have not been changed ? For example, send some hash of the running executable (or even the executable itself) and the server will then see if it matches what it should be.

I've already seen this question but I think in 4 years things must have changed a little bit.

Dreadlockyx
  • 181
  • 1
  • 11
  • 3
    Duplicate - https://stackoverflow.com/questions/6500154/how-to-verify-from-server-that-client-code-hasnt-been-modified - You say you saw this question and that things have changed, but this is still valid. – mikeb Feb 26 '16 at 14:00
  • I said things must have changed, because since 2011 no new reply has been posted. So things may or may not have changed. – Dreadlockyx Feb 26 '16 at 14:02
  • 2
    Things have not changed. – mikeb Feb 26 '16 at 14:02
  • So what happens when a client captures your validation hash and uses it in subsequent spoofed requests? What exactly do you need to validate here? If you're trying to authenticate/authorize users, there are already ways of doing that and you really shouldn't be inventing your own. – David Feb 26 '16 at 14:03
  • As @mikeb said, apparently things have not changed, so upon a capture of the hash it is very well possible to spoof future requests. You mean I should use existing authentication methods instead of reinventing the wheel ? Ex. let users have a standard API to communicate with the remote server – Dreadlockyx Feb 26 '16 at 14:10

0 Answers0