-4

I have a Client & Server application set, both written in C# but some client versions might be distributed in other languages in the future. I want to protect my applications.

I was looking for some kind of advice to stop just random people sending messages to a server and acting like a client, what kind of validation can I put in place?

My client applications I distribute will be obfuscated but is this enough? I'm just looking for some advice in this situation, is it wise for me to add some kind of encryption other than SSL, or am I just being over protective and over curious? Any input is welcomed & accepted.

Brandon Sage
  • 11

2 Answers2

2

It is impossible to determine if you are communicating remotely with "your client" or another piece of software that also knows how to communicate in the way that your client does.

What you can do is ensure that you are communicating with someone that is authorized to communicate with you by using client certificates for your SSL session.

The server proves who it is to the client and the client proves who it is to your server. The security then rests in whoever holds the private key to the client certificate (and the password for this key file).

The C# SslStream Class has support for this. Namely the AuthenticateAsClient method is relevant here.

In summary, if your software is only secure when communicating with a client you wrote, then your software isn't secure period. Instead, design your server in such a way that you can serve client requests securely. Using authentication is one of these ways.

Luke Joshua Park
  • 9,527
  • 5
  • 27
  • 44
  • I've using authentication already, although the password is currently grabbed from an API. I'm hoping when the client is deobfuscated that password will be hidden in the deobfuscation but I know that isn't the best way to approach this. – Brandon Sage Apr 15 '18 at 02:59
  • Yeah it sounds like you've done this in a very insecure and inelegant manner. Your question is too vague for me to assist you further. – Luke Joshua Park Apr 15 '18 at 03:01
0

You would want to do two things....one is look up certificate pinning. Your app will validate your SSL cert to thwart man in the middle attacks and it makes it hard to circumvent. The other is when making requests to the server have some type of user name / password block on the server side script before the server side does anything so the requests will simply be discarded by the server if they are from an unknown source.

user8555433
  • 71
  • 4