Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Sokolov2012-06-05 15:01:58
API
Sergey Sokolov, 2012-06-05 15:01:58

How to protect an Air application from server API spoofing?

There is a client on Air that performs simple requests to the api of our server. The client is distributed free of charge to everyone. The service has a free mode, and additional. paid options.
The functionality of the server is easily copied if you "listen" to the traffic. And it is believed that decompiling an Air application is a piece of cake.
Communications are via https, but I have not yet figured out how to verify in Air that communications occur with the only valid server.
How to protect the business from the fact that the villains will raise the “Chinese” analogue of our server and use our cool client with it, for example, by registering their clone in the hosts ip?
Maybe there is some more general “correct” approach to secure a bunch of a half-open client with a closed service?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
E
egorinsk, 2012-06-05
@egorinsk

What then is the value of your server (and what the hell is it needed at all), if by intercepting traffic, you can easily do the same?
A primitive way to check is to use https and check the fingerprints and the path of the certificate, but even in this case, the client can be decompiled and the check removed.

Report
P
plr, 2012-06-05
@plr

For example, QIWI in its terminal software checks localhost and tries to resolve IP addresses of hosts through its DNS. https certificate verification. Plus all requests/responses are signed with MD5. But in an open-source client, this cannot be done efficiently.
This means that you need to transfer the maximum value to the server, and use the client as a smart browser for your Internet service.

Report
S
s0rr0w, 2012-06-05
@s0rr0w

Move part of the logic to the server side. For example, the interface is built on the basis of the code that is sent from the server. This is a very simplified example, but I think you can take it further. As long as some of the functionality of the client is a black box for thieves, you are relatively safe.

Similar questions
D
dnbdrive2015-06-07 23:51:56
How to fix JSON::XS error in OTRS? 1Reply
B
bychok3002017-06-07 15:32:49
I don't receive my name and address, why? 3Reply
D
Daniil Selin2022-02-09 21:08:24
What is the attribute composition of rest services? 0Reply
M
Maxim Tarabrin2018-12-17 22:16:47
How to fix authorization error with Google's OAuth2? 1Reply
S
sinneren2016-07-20 12:30:33
Why are objects (points) displayed above clusters in Yandex Map (being the contents of clusters)? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question