1

We have desktop software that we install and run on remote, unattended machines. The software needs to hit API endpoints on our server. What is the best way to secure those endpoints to ensure that only our software can call them? We may or may not have admin rights to that machine. Others (staff or 3rd party individuals) may have access to that machine at an admin level.

Sen
  • 113
  • 3
  • What is the security risk that you are concerned about? – Igliv Apr 21 '21 at 01:47
  • This would be a multi-tenant system, so 1) using the API to effect data they don't own 2) prevent staff or techs from accessing customer data if they are no longer authorized to do so. This leads us to needing "tenant" specific credentials, but no easy way to revoke and replace them en-mass if needed. – Sen Apr 21 '21 at 01:50
  • 1
    Does this answer your question? Server client verification – multithr3at3d Apr 23 '21 at 03:07
  • @multithr3at3d It certainly has additional information, but it doesn't really answer my question any more than the currently accepted answer by ThoriumBR. – Sen Apr 26 '21 at 16:21

2 Answers2

4

Short answer: you cannot.

Long answer: You want DRM and DRM may or may not work, depending on the adversary.

If a third party have access to the computer where your software is installed, they can disassemble/decompile your software and learn how it works. They can install an intercepting proxy on the computer and analyse all network traffic.

Online game companies have an entire team working on this problem, and there are always someone writing code to cheat on online games.

You can obfuscate your code, write a highly convoluted protocol, employ anti-debugging techniques, all to make more difficult to someone to analyse your software, but you have no way to ensure that only your software can access the API.

And the bad thing about DRM is that as soon as one user broke it, it's broken for everyone because it only takes that user to share a bypass online and everyone else can do the same bypass.

ThoriumBR
  • 53,925
  • 13
  • 135
  • 152
1

Based on your description in the comment it sounds like the requirement is for a standard enterprise solution multi-tenancy approach.

The common approach is to implement a RBAC (role based access control) layer that would only allow access to specific API based on the user's credentials. Each technician has their own user so when the it's revoked their access to the system is revoked.

The access revocation process itself depends on how you implement the user authentication. If it's user+password you can just disable the user. If it's SAML\OIDC based you can revoke the user's token.

Igliv
  • 381
  • 2
  • 10
  • The question that leads me to is "what 'user' does the desktop software run as". It shouldn't be the technician that installed it. Its unattended so there is no "customer user". Based on the responses I think what we might do is allow the tech user to generate credentials for the tenant installation. And do it in a way the tech can't save/reuse what is generated. The techs ability to make credentials can then be revoked. We still can't en-mass revoke and replace the 'installation' ones but will lessen the need to do that. How does that sound? – Sen Apr 21 '21 at 02:03
  • 1
    Think of the software as a piece of code that runs various API requests. However those API requests mean nothing if you don't have the right token at hand.

    When a technician needs to use a piece of software on one of the desktops he will authenticate using the tool and create a short lived token to be used with the API request.

     – Igliv Apr 21 '21 at 02:24