1

I'm building a GUI Desktop application that will communicate with an API(http) in a webserver.

In the client side I have a GUI Desktop application and a GSM Modem(hardware). The GUI Desktop application will make requests to the API in the webserver and will get the SMS's to send.

My question here goes on how can I design the application so that the Clients don't cheat by sending requests to the API on the webserver saying that message is send. Anyone got any ideas on how to solve this problem? The GSM modem that send SMSs is in a untrusted client. Ideas on how to protect an API dealing with this kind of environment? I've been reading about proof-of-work, this approach can help to solve my problem?

Best Regards

André
  • 113
  • 3

1 Answers1

2

You can't. This is not solvable. The user controls the client, so the user can always arrange to claim that the message was sent without actually sending it.

If you want to verify that the client did not cheat, you'll need some separate way to verify that the SMS was sent. Maybe you can check with the recipient whether the SMS was actually received. Maybe you can have the recipient give a secret "receipt code" to the client when the recipient receives the SMS, and client can show you that receipt code to demonstrate that the recipient acknowledged receipt. Maybe you can audit clients (check 1% or 10% of the SMS's that they claim to have sent, to see if they were actually received), and if you detect that a client cheated, blacklist them (and maybe even penalize them somehow, such as keep a security deposit that they were required to provide in advance).

Anyway, you cannot prevent the client from cheating and lying to you. It's just not a solvable problem. Proof of work does not solve this problem.

P.S. In the future, this kind of question would be a better fit to Security.stackexchange.com. It's not that you've done anything wrong by asking here -- it is certainly permissible to ask here -- but you might get more detailed and quicker responses over there, since that's what they specialize in.

D.W.
  • 167,959
  • 22
  • 232
  • 500