I have an app that runs in the client and this app sends and receives data to/from a remote server.
Is there any way that I can guarantee that the data sent to the server really originated from the allowed app?
Of course I can enc开发者_Go百科rypt the data, but as it can be decompiled, it wouldn't make it 100% secure.
We're using .net/c#.
thanks!
Your question is too ambiguous and cannot be answered in its present form. You'll need to more precisely state the threat that you want to mitigate.
For example, suppose you have a client, Alice, attempting to send a message to a server, Bob. Is the threat:
A third party, Eve, could be listening to the communication channel. Alice desires Bob to understand the message, but Eve must not be able to understand the message.
A third party, Mallory, could be actively tampering with the communication channel. Bob desires to know whether or not anyone has tampered with Alice's attempt to send a message.
Eve and Mallory are working together. By monitoring the channel, Eve has accumulated recordings of a number of genuine message from Alice to Bob. Even though she cannot understand them, she believes they are good messages. Eve gives the messages to Mallory. Mallory will tamper with the communication channel so that Bob appears to be getting valid messages from Alice even though Alice is not sending messages right now. (Or, Mallory will tamper with the channel such that Alice's current valid message is replaced with a previous valid message.)
A third party, Moriarty, has murdered Alice and is now sending messages to Bob purporting to come from her. (The communication channel is uncompromised; Mallory and Eve have the night off.) Bob wishes to know whether the message is really coming from Alice, as the message claims.
Those problems might seem similar but in fact they are different problems and solved with different techniques. If you think you are solving all of them by solving one of them then you are building an insecure system. You need to carefully and clearly describe what threat you want to mitigate before anyone here can give you advice on how to do so.
There's a never-ending arms war between people that want to secure software and digital communication, and those that want to break that security.
The state of the art for this type of problem includes:
- Creating tamper-resistant client code (e.g. How to preventing decompilation of any C# application)
- Encrypting your communication channel (you can use message level and/or transport-level encryption depending on your environment and needs)
- Using a hash or similar to detect if the transmission was decrypted (having a salted hash makes it harder, not impossible, to change or forge message contents).
- Following best practices to secure your server both from remote and physical access.
There isn't such a thing as "100% secure". But yes, one feasable way would be encryption with signing and a Trusted Third Entitiy (RCA), that validates the certificates.
if you want to make it less likely that your code is tampered with you will want to obfuscate your code. I like this free obfuscator.
http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx
as it gives you a lot of functionality and is a simple drop and go type application.
then you can simply use https and web Services to enable a secure communication with 128 bit encryption (or better if your not crossing country lines)
if they spend the time to get past that then you should feel good knowing your application is worth that much trouble.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论