Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Possible to restrict WiFi so only one app (apple or google) can run?

Posted on 2013-12-11
Medium Priority
Last Modified: 2013-12-13
Hello Experts - I'm trying to determine if its possible to setup a wireless LAN so that only one app from the google and apple app stores will run.  The goal is to setup a wireless network for our customers to use that will let them download and run our app but nothing else.  Possible?  If so how would it be accomplished?
Question by:First Last
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39713091
I recommend you become familiar with the Open Systems Interconnection (OSI) model (ISO/IEC 7498-1).  Wireless technology is primarily addressed in Layer 1 (physical) and Layer 2 (Data Link)

OSI Model (Relevant to WiFi)
The restrictions your requesting reside in Layer 7 (Application) of the ISO model.  This means that you cannot address it at lower layers.  In other words, you'd need to develop/utilize a Layer 7 application which essentially acts as a software firewall/policy enforcement program-- restricting communication/execution based on the executable name and/or download location.

The Windows Firewall, for example, has the capability to restrict network communication based on the executable name.  It's conceivable you could develop a stronger "application authentication" mechanism, based on SHA256 hash or digital signature, etc. of the preapproved application(s).  This is known as a "white list".

Additionally, consider placing a Layer 7 application proxy between your WiFi access point and the Internet.  This application proxy could restrict URIs (only direct access to the app in the relevant stores permitted, etc.)

It would be an undertaking, though definitely possible.  Bear in mind if its too restrictive it could be considered malware.

All that being said, if this is for Android/Apple devices, you may not have access to lock these devices down in this manner, without them being rooted, etc.

Author Comment

by:First Last
ID: 39714065
Thank you for the detailed explanation!  Unfortunately this will be for the general public to use and obviously I won't have access to their devices ahead of time.  I'm curious about the "Layer 7 proxy" device and how that might work.  I called both google and apple this morning, both companies said what I want to do isn't possible because the app and play stores both use the same ip/ports for all apps.  How could a firewall distinguish between the different apps in order to allow one but block another?  Also, can you recommend a specific proxy?  I'm not too familiar with the offerings in that category.  Thanks again for the info!
LVL 15

Accepted Solution

Giovanni Heward earned 2000 total points
ID: 39714270
What apple and google told you was correct in terms of a typical Layer 2 or Layer 3 firewall.  Generally, whenever IT refers to a "firewall" they are referencing this type of firewall.  A typical firewall operating on these layers only has access to restrict ports, protocols, IP addresses, etc. as they have no visibility into the higher layers.

Now an application (Layer 7) proxy/firewall can achieve what you're intending, and definitely would be the way to go in your scenario.

A free proxy worth considering is Squid with the squidGuard plug-in.

Blocking urls
In order to block a single url enter this url in the urls file in the category in question:

Open in new window

Blocking access below a certain path
Sometimes you want to block everything located beneath a certain path in the URL but leave anything else open for access. Lets assume that your users shall not access documents beneath http://www.example.com/foo/bar like http://www.example.com/foo/bar/test.html. In this case your entry to the urls file will look like:

Open in new window

Ref: http://www.squidguard.org/Doc/aboutblocking.html

In your situation you'll reverse the process.  That is to say, you'll block everything and only permit specific URLs or paths.  This is white listing as opposed to black listing.

There is another layer of complexity to consider, and that would be HTTPS communication to approved locations.  This requires configuring SSL Bump.  This allows squid to create a secure connection between itself and connected mobile devices, and a separate secure connection to the app store(s) on the users behalf.

This is considered a "man-in-the-middle attack" from a network security point of view, as any credentials, personal identifying information, and financial details transmitted back and forth between the app store(s) and the end user devices could easily be intercepted and logged by the proxy.  Another caveat here is the certificate presented to the mobile device will be inherently untrusted.  So the mobile user would need to confirm the security exception, before being able to browse to authorized locations.

At the end of the day, it's completely possible to achieve your intended result without touching the mobile device.  You may want to customize your "access denied" page to redirect to a landing page you host, which allows the customer to go to one store or the other.  This page could auto-detect the mobile user-agent and redirect automatically based on the mobile device used as well.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Author Comment

by:First Last
ID: 39714969
Its taking me some time to absorb all this and I wanted to thank you again for such an excellent post.  I'll go through this in detail and see if its something I can handle.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39715501
In which City/State is the store located?  Do you have an implementation budget?  :-)

Author Comment

by:First Last
ID: 39716635
No budget unfortunately, doing it on the cheap!  :)

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question