I am designing the application in Flex that connects to some web services to perform some financial transactions. Web services are secured using https protocol and are asking for user token created at login on each request. This is used to authenticate and authorize the user. So far so good.
The trick part is that not all of our web services are coarsely grained. To give you an example, we can have two web service methods: EnoughFounds and Transfer. So, only after the method EnoughFounds replies “true” will I execute Transfer. This logic is programmed inside the Flex application code.
The scenario I am presented is the following: What if someone downloads the application and decompiles it. Than modifies the code so the step EnougFunds is not executed. Or maybe writes a completely new client maybe in even other technology that will execute Transfer without passing through EnoughFunds step. On executing Transfer, user will be authorized and authenticated on the server; but since he is using his real credentials, he will be able to execute the Transfer. The check that he skipped belongs to business logic and not security domain. I need somehow to make sure that the code that is executing the application is unmodified Flex code that I wrote and user downloaded. How can I do that? I know I can rewrite services so that the sequence is executed on the server, but that implies significant effort and I am looking for some other kind of solution.
It seems to me that there must be some security mechanisms that would resolve this particular problem.
Please note that I am not looking for advice on best practices. My requirement is not to change anything on the server-side. How can I secure the sequence on protocol level, without changing services?
This is a big mistake. Any business rules important enough to matter must be checked in the service. It must be the case that, no matter what the client does, the service never lets anything bad happen.
In particular, it makes sense to have an EnoughFunds operation because if EnoughFunds returns false, you can tell the user that he doesn't have enough funds. However, the Transfer operation must check to see if there are enough funds, and not depend on the client for such an important check.