One of the problems with using an IP address as a security measure on i-mode
is that for each request an i-mode phone sends, the IP address is different,
albeit from the same server. I discovered this when I attempted to use the
PHP 4.0 sessions feature with IP verification, though I would have
discovered it earlier if I had checked. So, what I did was to only check the
first three fields in the IP address, which should nonetheless have come
from one of the two i-mode server IP addresses that DoCoMo has listed.
Still, it is not very secure. The main problem is that allocating a new IP
number to an i-mode phone every time they send a request is insecure. For
newer phones, each request can have the utn attribute, which sends a phone's
serial number along with the other user-agent information, but this doesn't
work on the majority of i-mode phones, meaning those in the 501, 502, or 209
series. And on the ones that do support it, it annoyingly asks a user every
time this is sent, which wouldn't work if you used this in place of a
session id. So, what to do? Become an official DoCoMo site, since then you
would get this information in each and every request.
This is from the approach of keeping people out who you don't want in. If
you AREN'T an official i-mode site, why not let everyone in? You won't be
part of the official i-mode payment system anyway, so why not make your site
accesible to everyone? Most of the sites on the lists of official providers,
I found, didn't actually check IP addresses of requests. But of course if
you want something in their subscription menu they do check. Kyle's
excellent i-mimic sends the correct P209is user agent, so using that I was
able to connect to pretty much all of the sites except Citibank's. Since I
am a user of their service, I was pretty happy to see that they were
checking IPs, but for the majority of applications, which do not involve
money or personal information, I wonder how neccesary this is...apparently
most providers don't feel it neccesary.
-Another Nik
----- Original Message -----
From: "Nick May" <nick@kyushu.com>
To: <keitai-l@appelsiini.net>
Sent: Saturday, July 14, 2001 3:56 AM
Subject: (keitai-l) Re: iappli download for emulator without docomo email
address
>
> >> >
> >> >so in those cases only, do a reverse dns lookup to see if it resolves
> >to
> >> >docomo, THEN auto update the list of permitted IP's from which
requests
> >> >will be accepted....
> >> >
>
> keitai-l@appelsiini.net writes:
> >Does anyone if this is commonly being done? If so, faking the headers
> >won't do
> >any good, unless....maybe browsing from the NTT Docomo network
>
> I am fairly sure it is not commonly done - but I sure as hell will be
> doing it as soon as I can code it up...
>
> Nick
>
>
> [ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
>
>
>
>
[ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
Received on Sat Jul 14 15:25:27 2001