[maemo-developers] How to ensure only HTTP requests from the device can be accepted in a web app?

[From: Ian Stirling]

Sivan Greenberg wrote:
> Hi list,
> 
>  I'm developing and application that sends very small amounts of data
> over HTTP ReST to an http server, and want to restrict request to
> those only coming from the device itself (the N900 running
> Maemo/MeeGo). This will be of-course complemented with a user login
> and limitation of how many "pings" such a user can do to the server a
> day.
> 
>  What would be the way to achieve this? Has anyone done/ tried
> something like this before? (I thought about reading some hardware
> identified off the device, but then again- how do I make sure an IMEI
> is an RX-51 one?

Several issues occur.

Firstly - why on earth do you care?
If a user is authenticated, why does it matter if they are breaking any 
agreements they may have made with you to only access content on their n900.

Bearing in mind that the absolute maximum possible deterrance is the 
cost of a 'new' n900 on ebay.

The silly hack that comes to mind is to go to the firmware download 
page, and use that as an authenticator, but that would be insane.

Also - as a user, I would be hesitant at giving out my IMEI.
While there are few risks at the moment, open-source GSM platforms are 
becoming available to the hacker community, and the protocol was not 
really designed for security.

I will note that http://www.omniqueue.com/ shows a pleasing sparseness 
of design, that many websites would do well to imitate.

No flash ads, no slow javascript, and at 0 bytes, quick to transfer!