Answer the question
In order to leave comments, you need to log in
Is it possible to create an error-free device identification?
Given:
The application works equally on both Win and Android. The application sends a request to the server with the device identifier, then the server must somehow check whether the application code has been changed, since it can be decompiled and instead of the calculated identifier, send a ready-made identifier stolen from another machine. In other words, Internet connection. Further, after identification, HelloWorld will be sent to the device.
Question:
What are the options to ensure that the identifier was really programmatically generated and not substituted? (it implies decompilation and replacement of the identifier calculation with a ready-made identifier from another device) Virtual machines do not count, let's say the application will be installed manually for each user, but then there will be no control over the device.
The programming language doesn't matter, it's important to understand the logic.
Answer the question
In order to leave comments, you need to log in
Hidden private key in a special chip on the device.
An example of such a device is a sim card, or a special chip in iphone and some android smartphones, contains a secret key that cannot be pulled out, has a chip that allows you to encrypt data with this key (asymmetric encryption algorithms). The server can verify that the data is encrypted with the correct key.
https://en.wikipedia.org/wiki/Hardware_security_module
https://developer.android.com/training/articles/ke... - if there is no hardware storage, the operating system will provide it, it's not as secure but still cost hacking high
https://developer.apple.com/documentation/security...
https://social.technet.microsoft.com/wiki/contents...
etc.
For windows, the standard was not invented, and devices are not supplied by default. For intel, you can certainly dig, there are proprietary tools, they are used to store oem keys, etc. but these tools are usually used by the hardware (laptop) manufacturer and are most likely already locked.
For desktop machines, the practice of a usb hasp key is used, or a usb key that appears in the system as a keyboard and generates time codes (codes tied to time, for example, like google authenticator), the devices themselves are cheap, unique, you can find special programmable ones (the secret key can be written one times and send to the client), are not expensive (more expensive delivery).
https://en.wikipedia.org/wiki/YubiKey
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question