[maemo-developers] How to ensure only HTTP requests from the device can be accepted in a web app?

From: Ian Stirling maemo at mauve.plus.com
Date: Mon Nov 8 15:56:45 EET 2010
Sivan Greenberg wrote:
> On Mon, Nov 8, 2010 at 2:27 PM, Ian Stirling <maemo at mauve.plus.com> wrote:
>> Firstly - why on earth do you care?
>> If a user is authenticated, why does it matter if they are breaking any
>> agreements they may have made with you to only access content on their n900.
> 
> Never post to public list when you are going over your 5 tasks in the
> same time limit. This is perfectly true and holds! Moreover, the
> client for the service would only run on the N900 (well until I
> develop a desktop version of it) . but for all purpose a user account
> would suffice.

Yeah - seems more sane to apply it on a per-user basis, as a filter at 
the server, unless I'm missing something.


>> The silly hack that comes to mind is to go to the firmware download page,
>> and use that as an authenticator, but that would be insane.
> 
> Out of *pure* technical curiosity how would that work? I mean, how can
> I ask tablets-dev to authorize someone when it authorizes it due to
> knowing that IMEI he/she provided is indeed a nokia device?

As simple as go to the firmware download page (with a script) enter the 
IMEI the user supplies, see if it authenticates.

Though not specifically answering that point, I suggest


  http://laforge.gnumonks.org/weblog/gsm/
http://threatpost.com/en_us/blogs/researchers-hijack-cell-phone-data-gsm-locations-042110

Also - you can bar the phone in many instances with only the IMEI, by 
reporting it stolen.

My concern is not so much that you might do something nefarious - but 
that you might screw up, and my IMEI turns up along with my name, 
address, and possibly CC/paypal details on thieftorrent.

There are - as I understand it - limited attacks that are possible using 
the IMEI at the moment.
GSM very much is not designed as a secure protocol, so I wonder if with 
the increasing ease of access, if that will remain so.

>> Also - as a user, I would be hesitant at giving out my IMEI.
>> While there are few risks at the moment, open-source GSM platforms are
>> becoming available to the hacker community, and the protocol was not really
>> designed for security.
> 
> I never gave thought to this, what would it help in abuse to have your IMEI ?
> 
>> I will note that http://www.omniqueue.com/ shows a pleasing sparseness of
>> design, that many websites would do well to imitate.
> 
> Thanks! I try ;-) Even if it had a design it would most probably be
> very minimalistic on the brink of a text document....
> 
> 
>> No flash ads, no slow javascript, and at 0 bytes, quick to transfer!
>>
> Cellular data consumer kept in mind! :-p
> 
> 
> Cheers,
> 
> -Sivan
> 

More information about the maemo-developers mailing list