One [only?] reliable way to accomplish this is to have a trust-base on the device (TPM, TrustZone, UICC, Secure Element, etc.) that works in conjunction with a backend to assert device's identity, capability, etc.
-Hadi On Fri, Oct 5, 2012 at 12:16 PM, Lucas Palma <[email protected]> wrote: > It's not the connection speed that I said, but the rate that the user > sends information. > And, as you said and I had already stated, it was an idea but not used, > because it can be forged. > > I was thinking if there's a server-side strategy, because almost > everything that come from the client-side can be forged, but if anybody > knows something that can't be forged and identifies the user as mobile > device user, please tell me. > > Regards, > > -- > Lucas Palma > > > > *"If you are patient in one moment of anger, you will escape a hundred > days of sorrow."* > *- Chinese Proverb* > > > > On Fri, Oct 5, 2012 at 4:10 PM, Kristopher Micinski < > [email protected]> wrote: > >> I think that anything will be able to be forged, you can always >> manipulate the connection speed, that's not a reliable indicator. >> >> kris >> >> On Fri, Oct 5, 2012 at 3:08 PM, Lucas Palma <[email protected]> >> wrote: >> > Yes, right. >> > >> > I was thinking that any strategy on the client side could be forged, so >> I >> > started thinking if there's a server-side action that could be used. >> > >> > I thought, for example, at the speed that the user sends information, >> since >> > on desktop the information is typed and then sent faster than on a >> mobile... >> > but this could also be faked on the client side. >> > >> > -- >> > Lucas Palma >> > >> > >> > >> > "If you are patient in one moment of anger, you will escape a hundred >> days >> > of sorrow." >> > - Chinese Proverb >> > >> > >> > >> > On Fri, Oct 5, 2012 at 4:04 PM, Kristopher Micinski < >> [email protected]> >> > wrote: >> >> >> >> I would say that pretty much any strategy is going to be spoofable. >> >> >> >> You're talking from the perspective of the server, correct? >> >> >> >> kris >> >> >> >> On Fri, Oct 5, 2012 at 2:58 PM, Lucas Palma <[email protected]> >> wrote: >> >> > Hi everybody, >> >> > >> >> > There's some way to identify that the user is using a mobile device, >> not >> >> > a >> >> > desktop? >> >> > Like, I have an application, which communicates with a web service, >> but >> >> > anyone could access it through a desktop, and simulates that is >> using a >> >> > mobile device. >> >> > >> >> > I don't think that "user-agents", "css" and things like that will >> help, >> >> > since they can be forged. >> >> > Someone know one or more ways to do the trick? >> >> > There's some way to do it without changing the application? >> >> > >> >> > Thanks in advance! >> >> > >> >> > -- >> >> > Lucas Palma >> >> > >> >> > >> >> > >> >> > "If you are patient in one moment of anger, you will escape a hundred >> >> > days >> >> > of sorrow." >> >> > - Chinese Proverb >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "Android Security Discussions" group. >> >> > To post to this group, send email to >> >> > [email protected]. >> >> > To unsubscribe from this group, send email to >> >> > [email protected]. >> >> > For more options, visit this group at >> >> > http://groups.google.com/group/android-security-discuss?hl=en. >> > >> > >> > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
