0

Assume I have an open source application, that connects to my server. I need to guarantee that the application that has been distributed was not tampered.

Assume the client sends a hash of the executable to the server to verify if it matches the hash of the exe originally distributed.

Now what if somebody took the source, edited the function to send back a correct hash, to trick the server into thinking it was a valid exe.

Is there any way to get around this? Could the server check / guarantee that the exe launched was signed?

t348575
  • 674
  • 8
  • 19
  • 1
    This is not a solvable problem, even if you hide the source code. It's not even thinkable if your provide the source code to the attack. There are a bunch of previous discussions for more details. They're often platform-specific, but every platform has the same situation. https://stackoverflow.com/questions/7337637/easiest-way-to-limit-executable-to-running-on-a-certain-computer https://stackoverflow.com/questions/9181186/secure-https-encryption-for-iphone-app-to-webpage – Rob Napier Aug 19 '21 at 14:53
  • 1
    Fundamentally the server can only see what is sent to it over the network, and the client has full control over what bytes get sent over the network. There's no way to make sure that those bytes were "legitimately" computed. – Rob Napier Aug 19 '21 at 14:54
  • @RobNapier suppose somebody figured out / knows how to interact with my server's API. Is there any way to guarantee that my application is making the request's and not just a script someone wrote to interact with my API. – t348575 Aug 20 '21 at 12:27
  • 1
    No. That's exactly the point. Bytes are bytes. Network packets are network packets. You cannot know how they were created. You cannot authenticate applications. You can only authenticate users, because they know a secret the application does not. (You can also authenticate security hardware like a YubiKey, but this is just another way of authenticating the user; it still cannot authenticate an application.) With sufficient obfuscation, you can make it a little harder, for a little while, for attackers to figure out your API. That's all. – Rob Napier Aug 20 '21 at 14:02

0 Answers0