On Fri, Oct 5, 2012 at 3:21 PM, Hadi Nahari <[email protected]> wrote: > One [only?] reliable way to accomplish this is to have a trust-base on the > device (TPM, TrustZone, UICC, Secure Element, etc.) that works in > conjunction with a backend to assert device's identity, capability, etc. Anti-fraud (for example, RSA Adaptive Authentication) attempts to do it with contextual information. For example, device fingerprinting, IP addresses, and past banking history.
There's more context information available from the carrier, but I've never seen anyone successfully use it (for example, power analysis in the spectrum). In this case, it allows carriers to detect cloned handsets. Ditto for handset authentication to the network. Jeff > On Fri, Oct 5, 2012 at 12:16 PM, Lucas Palma <[email protected]> wrote: >> >> It's not the connection speed that I said, but the rate that the user >> sends information. >> And, as you said and I had already stated, it was an idea but not used, >> because it can be forged. >> >> I was thinking if there's a server-side strategy, because almost >> everything that come from the client-side can be forged, but if anybody >> knows something that can't be forged and identifies the user as mobile >> device user, please tell me. >> >> Regards, >> >> -- >> Lucas Palma >> >> On Fri, Oct 5, 2012 at 4:10 PM, Kristopher Micinski >> <[email protected]> wrote: >>> >>> I think that anything will be able to be forged, you can always >>> manipulate the connection speed, that's not a reliable indicator. >>> >>> kris >>> >>> On Fri, Oct 5, 2012 at 3:08 PM, Lucas Palma <[email protected]> >>> wrote: >>> > Yes, right. >>> > >>> > I was thinking that any strategy on the client side could be forged, so >>> > I >>> > started thinking if there's a server-side action that could be used. >>> > >>> > I thought, for example, at the speed that the user sends information, >>> > since >>> > on desktop the information is typed and then sent faster than on a >>> > mobile... >>> > but this could also be faked on the client side. >>> > >>> > -- >>> > Lucas Palma >>> > >>> > On Fri, Oct 5, 2012 at 4:04 PM, Kristopher Micinski >>> > <[email protected]> >>> > wrote: >>> >> >>> >> I would say that pretty much any strategy is going to be spoofable. >>> >> >>> >> You're talking from the perspective of the server, correct? >>> >> >>> >> kris >>> >> >>> >> On Fri, Oct 5, 2012 at 2:58 PM, Lucas Palma <[email protected]> >>> >> wrote: >>> >> > Hi everybody, >>> >> > >>> >> > There's some way to identify that the user is using a mobile device, >>> >> > not >>> >> > a >>> >> > desktop? >>> >> > Like, I have an application, which communicates with a web service, >>> >> > but >>> >> > anyone could access it through a desktop, and simulates that is >>> >> > using a >>> >> > mobile device. >>> >> > >>> >> > I don't think that "user-agents", "css" and things like that will >>> >> > help, >>> >> > since they can be forged. >>> >> > Someone know one or more ways to do the trick? >>> >> > There's some way to do it without changing the application? >>> >> > >>> >> > Thanks in advance! >>> >> > >>> >> > -- >>> >> > Lucas Palma -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
