Possible to restrict WiFi so only one app (apple or google) can run?

Posted on 2013-12-11
Last Modified: 2013-12-13
Hello Experts - I'm trying to determine if its possible to setup a wireless LAN so that only one app from the google and apple app stores will run.  The goal is to setup a wireless network for our customers to use that will let them download and run our app but nothing else.  Possible?  If so how would it be accomplished?
Question by:First Last
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39713091
I recommend you become familiar with the Open Systems Interconnection (OSI) model (ISO/IEC 7498-1).  Wireless technology is primarily addressed in Layer 1 (physical) and Layer 2 (Data Link)

OSI Model (Relevant to WiFi)
The restrictions your requesting reside in Layer 7 (Application) of the ISO model.  This means that you cannot address it at lower layers.  In other words, you'd need to develop/utilize a Layer 7 application which essentially acts as a software firewall/policy enforcement program-- restricting communication/execution based on the executable name and/or download location.

The Windows Firewall, for example, has the capability to restrict network communication based on the executable name.  It's conceivable you could develop a stronger "application authentication" mechanism, based on SHA256 hash or digital signature, etc. of the preapproved application(s).  This is known as a "white list".

Additionally, consider placing a Layer 7 application proxy between your WiFi access point and the Internet.  This application proxy could restrict URIs (only direct access to the app in the relevant stores permitted, etc.)

It would be an undertaking, though definitely possible.  Bear in mind if its too restrictive it could be considered malware.

All that being said, if this is for Android/Apple devices, you may not have access to lock these devices down in this manner, without them being rooted, etc.

Author Comment

by:First Last
ID: 39714065
Thank you for the detailed explanation!  Unfortunately this will be for the general public to use and obviously I won't have access to their devices ahead of time.  I'm curious about the "Layer 7 proxy" device and how that might work.  I called both google and apple this morning, both companies said what I want to do isn't possible because the app and play stores both use the same ip/ports for all apps.  How could a firewall distinguish between the different apps in order to allow one but block another?  Also, can you recommend a specific proxy?  I'm not too familiar with the offerings in that category.  Thanks again for the info!
LVL 15

Accepted Solution

Giovanni Heward earned 500 total points
ID: 39714270
What apple and google told you was correct in terms of a typical Layer 2 or Layer 3 firewall.  Generally, whenever IT refers to a "firewall" they are referencing this type of firewall.  A typical firewall operating on these layers only has access to restrict ports, protocols, IP addresses, etc. as they have no visibility into the higher layers.

Now an application (Layer 7) proxy/firewall can achieve what you're intending, and definitely would be the way to go in your scenario.

A free proxy worth considering is Squid with the squidGuard plug-in.

Blocking urls
In order to block a single url enter this url in the urls file in the category in question:

Open in new window

Blocking access below a certain path
Sometimes you want to block everything located beneath a certain path in the URL but leave anything else open for access. Lets assume that your users shall not access documents beneath like In this case your entry to the urls file will look like:

Open in new window


In your situation you'll reverse the process.  That is to say, you'll block everything and only permit specific URLs or paths.  This is white listing as opposed to black listing.

There is another layer of complexity to consider, and that would be HTTPS communication to approved locations.  This requires configuring SSL Bump.  This allows squid to create a secure connection between itself and connected mobile devices, and a separate secure connection to the app store(s) on the users behalf.

This is considered a "man-in-the-middle attack" from a network security point of view, as any credentials, personal identifying information, and financial details transmitted back and forth between the app store(s) and the end user devices could easily be intercepted and logged by the proxy.  Another caveat here is the certificate presented to the mobile device will be inherently untrusted.  So the mobile user would need to confirm the security exception, before being able to browse to authorized locations.

At the end of the day, it's completely possible to achieve your intended result without touching the mobile device.  You may want to customize your "access denied" page to redirect to a landing page you host, which allows the customer to go to one store or the other.  This page could auto-detect the mobile user-agent and redirect automatically based on the mobile device used as well.
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.


Author Comment

by:First Last
ID: 39714969
Its taking me some time to absorb all this and I wanted to thank you again for such an excellent post.  I'll go through this in detail and see if its something I can handle.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39715501
In which City/State is the store located?  Do you have an implementation budget?  :-)

Author Comment

by:First Last
ID: 39716635
No budget unfortunately, doing it on the cheap!  :)

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question