Welcome!
This is the community forum for my apps Pythonista and Editorial.
For individual support questions, you can also send an email. If you have a very short question or just want to say hello — I'm @olemoritz on Twitter.
Reliably determine whether a user is in Pythonista
-
For
pythonista.cloud
, I'm building a webservice. To prevent abuse of this, service I'd like to have a system by which upload requests can only be sent from people using paid copies the Pythonista app. (Downloads would still be globally available.) I'd like a secure identifier that goes with Pythonista that can not be easily faked from another device.Is there something built into all iOS apps, perhaps, like a unique identifier for each copy of the app, that is accessible from the file system and checkable against a public database?
The one idea I had was to read 100 or so characters of the PythonistaKit file and send that in the header of the request.
Does anybody have any ideas?
-
That's not really possible. Anything you could send as a "secret" could easily be faked by looking at the network traffic or your source code...
The one idea I had was to read 100 or so characters of the PythonistaKit file and send that in the header of the request.
Don't do that, it would break with every new beta.
Even if it would be possible to be completely sure that a user is in Pythonista, what is that information actually good for? It tells you nothing about how trustworthy someone is. I'd recommend having some kind of process for generating API keys or something like that. If you notice abuse, you could blacklist the API key that was used...
-
With restrictions like these you won't make yourself any friends - honest and well-meaning users won't be able to use your service because they don't have Pythonista (or because the validation is broken), and evil people will still find a way around your protection, like with any kind of DRM (which this really sounds like).
The Pythonista community - with the exception of the Pythonista app itself - works on the basis of sharing code free for anyone to access, use and modify. Even the parts of Pythonista written in Python are available to anyone who owns the app. Ole is even fine with us using the "private" app internals with
objc_util
and such. It would be a shame if we started putting arbitrary restrictions on our software for no particular reason.If you want to protect your service from abuse, then you should add some kind of registration process or request limit. Not by requiring that people should own an app.
-
@omz @dgelessus Okay. I was just looking for a way to prevent random people from using the service to upload images from their computers that weren't related to Pythonista. It was just because I'm paying for the web server which has limited space. I'll work around this, though. I can probably use a server script to prevent uploading projects that contain no Python.
-
For now, I'll just have the Pythonista uploader set
{"User-Agent":"Pythonista"}
in the headers. This will provide a (weak) defense against most bots and browsers.
-
I'm not commenting on the ethics or practicality or anything else, just curious about a technical solution
It would require @omz 's cooperation...
I'm thinking about advertiser Id's? If @omz maintained a list of all the advertiser Id's with installs of his app and provided them privately. These can be changed (refreshed) in settings, but maybe Pythonista could update the list during first-runs of an update, in combination with a web-form (perhaps for forum.oz-software registration?) for case-by case requests for edge cases. Also encrypt the strings with a private key. Thoughts?