3

I'm designing an app (for PC), that is intended to run on users' machines and generate a file with some data. The user will then upload the file to the server, and I want to verify that this file has been produced by my app and hasn't been modified. Can it be done reliably at all?

Things that I have considered:

  • generating a public key on server and sending it to the app (key can be sniffed and used to sign arbitrary data)
  • stream data from the app as it is generated (but still, arbitrary data can be sent)
  • store secret key inside the app and use it to generate unique token (app can be decompiled and key retrieved)

App sources are planned to be open for the user, but in case there is a solution that relies on user not knowing the sources, they can be closed. There is, of course, an option to run everything completely server-side, but we are considering user-side now too.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Peter Trifanov
  • 31
  • 1
  • 2
    Trying to verify *user-supplied* data as genuine is notoriously difficult. Most people abandon this as a requirement. Why do you want this function? – schroeder Feb 01 '21 at 13:12
  • Yes, I understand this, was just trying to ensure that I'm not missing something. Generation of our data may require computational resources and execution of user-supplied *code*, so we though that performing it on user side may be easier. But I guess we should build a good server-side sandbox for our purposes. – Peter Trifanov Feb 01 '21 at 13:42

1 Answers1

1

You will need to run it entirely server-side. Client-side security is not a viable option.

There's no way (easy way nor hard way) to control software running on client's side. Storing keys on the client, no matter how protected, is useless against a dedicated attacker.

Having the user get into an online application hosted on your server is the easiest way: you control the server, you control everything the user can access, and you can verify the data on the server before signing.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142