CODEWITHSUNDEEP
silverlightsecurity
Valentin Kuzub
Valentin Kuzub

Reputation: 12093

How to prevent silverlight XAP from external copy & use on someone elses domain

I think I dont understand this process clearly.

Let's say I create a great SL application and host it on my web page. If someone downloads th XAP he can host it on his web page since it's just a file and it will work perfectly fine I think, even if its obfuscated.

I think there are couple of ways to protect it:

  1. Use authorization on my website (ASP.NET auth) and pass an auth token from it to the SL app so they at least will have to use my website to get th auth token in some way (although if not 2nd this could also be done in some unseen way, like webrequest or something to do everything a person would do to obtain th token & then it would again work on other domain just fine) and use WCF service operations with auth this auth token.

  2. Use some WCF service & cross domain restrictions to make sure XAP won't work good if hosted like that.

Looks like if second is valid 100% protected solution there is no need to make complicated auth on web site and pass token to Silverlight, and just SL authentication can be fine.

I would like to hear your thoughts about both approaches, and maybe some other ways to help this situation.

Maybe there is a way to protect XAP so it wont work at all if it was not downloaded from some specific domain?

Upvotes: 1

Views: 414

Answers (2)

Denis
Denis

Reputation: 4115

You might want to read this: http://www.youpvp.com/blog/post/Protecting-your-Silverlight-application-from-a-hijacking.aspx

Upvotes: 1

Xavier Poinas
Xavier Poinas

Reputation: 19733

Why not do something like this, maybe in Application_Startup

if (Application.Current.Host.Source.Host != "mydomain.com")
    throw new ApplicationStolenException();

In theory someone could edit the xap file to change that string but you could obfuscate it to make it harder.

The authentication thing is not going to work. What are you going to do with that authentication token in your Silverlight app? Silverlight does not manage sessions, how are you going to prevent someone from reusing the token for ever?

The only reliable option is to have your application depend on a web service. And by depend I mean actually implementing part of the logic on the server. Otherwise it would be easy to just recreate a service that produce the same responses than yours.

As with all security related questions, it's all about balancing the risk and the investment.

Upvotes: 0

Related Questions