Validate Client Software for Web Services
I'm trying to think of how to validate that a web service is only accessed by an authorised client software.
Now I don't mean that I only want the web service open to authorised users, I only want my web services open to clients that I deem acceptable.
Lets take a use case. I have a web service that I provide, and software that connects to that web service. In this case the service is REST based. I do not want other people creating clients and accessing my web servic开发者_JAVA百科e, and profiting from my service, because this service is a very special set of data that I need to keep secured to approved clients only.
Some incorrect suggestions from elsewhere have been to ensure users have an account. However this only stops unauthorised users, it does not stop someone creating a client and allowing those genuine users to access my web services with someone else's software.
Another suggestion was to include certain identification details, or a client certificate, in the software, but it is too easy for someone to reverse engineer and get these details and then duplicate the requests.
I am not sure that what I want to do is even possible, but I am hoping someone can prove me wrong.
There's nothing that would completely prevent creation of third-party software, similar to mimic your existing client software, if you give away your software. You can make the task of such "cloner" more complicated by obfuscating parts of your client's binary code or virtualizing those parts (eg. VMProtect tool), but this, as said, makes work harder but not totally impossible. You might want to re-consider your business strategy regarding client software.
Practice shows that if your server-side services are popular, clones will appear no matter what you do. This is simply because you can't satisfy all users with your client software, and if the critical mass of unsatisfied users appears, they will start creation of better client software. And the best you can do in this case is offer a free client-side SDK and a community: these steps will make creation of third-party client software more controllable.
精彩评论