CODEWITHSUNDEEP
wpfsecurity
Andybanandy
Andybanandy

Reputation: 120

How to authenticate a WPF application against the server?

Assume the following:

  1. I have a WPF Application which reads a text from a file an sends the text to my server REST API via a HTTPS and the server sends a
    response which depends on the text which was send in request

  2. The WPF Application should be the only one which gets a useful response to this request - so the WPF Application has to show somehow to the server, that the request is send from the application itself.

  3. The user of the WPF Application should not be asked to enter any login credentials

What are the best practices here?

My thoughts:

Thanks in advance

Upvotes: 0

Views: 458

Answers (1)

Kelly
Kelly

Reputation: 7183

If your server already supports HTTPS the client knows the server is trusted based on the cert it is using, so that side is handled. (client trusts server)

To ensure trust the server needs to do the same. (server trusts client) The client should hold a cert it can pass to the server so the server can verify the clients identity.

Like always this brings up the problem of how to hide the key in the client, of which there are various schemes but since the client needs to get the key eventually you cannot prevent a dedicated hacker from finding that info, only make it harder for them. (obfuscation etc)

Depending on your application the best is a simple white-list of clients allowed to connect. Some apps can do this but many cannot since they don't have the users IP's etc, but it's something else to keep in mind if it fits your use-case.

You can send a password to the server like you suggest. As long as the message is encrypted (HTTPS) your probably fine. Nothing is 100% secure. It can be intercepted via a man-in-the-middle style attack, but these are fairly rare, or at least very targeted, so it would depend on what your software does etc.

Upvotes: 1

Related Questions