Securing APIs used by remote devices



  • We have desktop software that we install and run on remote, unattended machines. The software needs to hit API endpoints on our server. What is the best way to secure those endpoints to ensure that only our software can call them? We may or may not have admin rights to that machine. Others (staff or 3rd party individuals) may have access to that machine at an admin level.



  • Short answer: you cannot.

    Long answer: You want DRM and DRM may or may not work, depending on the adversary.

    If a third party have access to the computer where your software is installed, they can disassemble/decompile your software and learn how it works. They can install an intercepting proxy on the computer and analyse all network traffic.

    Online game companies have an entire team working on this problem, and there are always someone writing code to cheat on online games.

    You can obfuscate your code, write a highly convoluted protocol, employ anti-debugging techniques, all to make more difficult to someone to analyse your software, but you have no way to ensure that only your software can access the API.

    And the bad thing about DRM is that as soon as one user broke it, it's broken for everyone because it only takes that user to share a bypass online and everyone else can do the same bypass.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2