Possible to restrict WiFi so only one app (apple or google) can run?

Posted on 2013-12-11
Last Modified: 2013-12-13
Hello Experts - I'm trying to determine if its possible to setup a wireless LAN so that only one app from the google and apple app stores will run.  The goal is to setup a wireless network for our customers to use that will let them download and run our app but nothing else.  Possible?  If so how would it be accomplished?
Question by:First Last
  • 3
  • 3
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39713091
I recommend you become familiar with the Open Systems Interconnection (OSI) model (ISO/IEC 7498-1).  Wireless technology is primarily addressed in Layer 1 (physical) and Layer 2 (Data Link)

OSI Model (Relevant to WiFi)
The restrictions your requesting reside in Layer 7 (Application) of the ISO model.  This means that you cannot address it at lower layers.  In other words, you'd need to develop/utilize a Layer 7 application which essentially acts as a software firewall/policy enforcement program-- restricting communication/execution based on the executable name and/or download location.

The Windows Firewall, for example, has the capability to restrict network communication based on the executable name.  It's conceivable you could develop a stronger "application authentication" mechanism, based on SHA256 hash or digital signature, etc. of the preapproved application(s).  This is known as a "white list".

Additionally, consider placing a Layer 7 application proxy between your WiFi access point and the Internet.  This application proxy could restrict URIs (only direct access to the app in the relevant stores permitted, etc.)

It would be an undertaking, though definitely possible.  Bear in mind if its too restrictive it could be considered malware.

All that being said, if this is for Android/Apple devices, you may not have access to lock these devices down in this manner, without them being rooted, etc.

Author Comment

by:First Last
ID: 39714065
Thank you for the detailed explanation!  Unfortunately this will be for the general public to use and obviously I won't have access to their devices ahead of time.  I'm curious about the "Layer 7 proxy" device and how that might work.  I called both google and apple this morning, both companies said what I want to do isn't possible because the app and play stores both use the same ip/ports for all apps.  How could a firewall distinguish between the different apps in order to allow one but block another?  Also, can you recommend a specific proxy?  I'm not too familiar with the offerings in that category.  Thanks again for the info!
LVL 15

Accepted Solution

Giovanni Heward earned 500 total points
ID: 39714270
What apple and google told you was correct in terms of a typical Layer 2 or Layer 3 firewall.  Generally, whenever IT refers to a "firewall" they are referencing this type of firewall.  A typical firewall operating on these layers only has access to restrict ports, protocols, IP addresses, etc. as they have no visibility into the higher layers.

Now an application (Layer 7) proxy/firewall can achieve what you're intending, and definitely would be the way to go in your scenario.

A free proxy worth considering is Squid with the squidGuard plug-in.

Blocking urls
In order to block a single url enter this url in the urls file in the category in question:

Open in new window

Blocking access below a certain path
Sometimes you want to block everything located beneath a certain path in the URL but leave anything else open for access. Lets assume that your users shall not access documents beneath like In this case your entry to the urls file will look like:

Open in new window


In your situation you'll reverse the process.  That is to say, you'll block everything and only permit specific URLs or paths.  This is white listing as opposed to black listing.

There is another layer of complexity to consider, and that would be HTTPS communication to approved locations.  This requires configuring SSL Bump.  This allows squid to create a secure connection between itself and connected mobile devices, and a separate secure connection to the app store(s) on the users behalf.

This is considered a "man-in-the-middle attack" from a network security point of view, as any credentials, personal identifying information, and financial details transmitted back and forth between the app store(s) and the end user devices could easily be intercepted and logged by the proxy.  Another caveat here is the certificate presented to the mobile device will be inherently untrusted.  So the mobile user would need to confirm the security exception, before being able to browse to authorized locations.

At the end of the day, it's completely possible to achieve your intended result without touching the mobile device.  You may want to customize your "access denied" page to redirect to a landing page you host, which allows the customer to go to one store or the other.  This page could auto-detect the mobile user-agent and redirect automatically based on the mobile device used as well.
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.


Author Comment

by:First Last
ID: 39714969
Its taking me some time to absorb all this and I wanted to thank you again for such an excellent post.  I'll go through this in detail and see if its something I can handle.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39715501
In which City/State is the store located?  Do you have an implementation budget?  :-)

Author Comment

by:First Last
ID: 39716635
No budget unfortunately, doing it on the cheap!  :)

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VLAN Question 13 61
Opening Ports for Specific LAN IP Address on Juniper SRX240 3 54
CISCO ASA 5505 double Wan 8 37
Ping in Fortigate 2 39
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question