Answer the question
In order to leave comments, you need to log in
How to protect an Air application from server API spoofing?
There is a client on Air that performs simple requests to the api of our server. The client is distributed free of charge to everyone. The service has a free mode, and additional. paid options.
The functionality of the server is easily copied if you "listen" to the traffic. And it is believed that decompiling an Air application is a piece of cake.
Communications are via https, but I have not yet figured out how to verify in Air that communications occur with the only valid server.
How to protect the business from the fact that the villains will raise the “Chinese” analogue of our server and use our cool client with it, for example, by registering their clone in the hosts ip?
Maybe there is some more general “correct” approach to secure a bunch of a half-open client with a closed service?
Answer the question
In order to leave comments, you need to log in
What then is the value of your server (and what the hell is it needed at all), if by intercepting traffic, you can easily do the same?
A primitive way to check is to use https and check the fingerprints and the path of the certificate, but even in this case, the client can be decompiled and the check removed.
For example, QIWI in its terminal software checks localhost and tries to resolve IP addresses of hosts through its DNS. https certificate verification. Plus all requests/responses are signed with MD5. But in an open-source client, this cannot be done efficiently.
This means that you need to transfer the maximum value to the server, and use the client as a smart browser for your Internet service.
Move part of the logic to the server side. For example, the interface is built on the basis of the code that is sent from the server. This is a very simplified example, but I think you can take it further. As long as some of the functionality of the client is a black box for thieves, you are relatively safe.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question