Many software applications execute on client devices (such as a computer, a smart phone, or a television set top box), and rely on data that is stored on a remote server. The client device communicates with the remote server to retrieve the data it needs. In some cases, the data stored at the remote server is inherently valuable, possible because of the expense in collecting or developing the database. For example, the database maintained by GOOGLE MAPS is valuable.
When valuable information is maintained in this way, there is a possibility for a competitor to acquire the information and build a competing product without the expense of developing the database independently. Because individual client devices are able to connect to the remove server to utilize portions of the data, a rogue competitor may attempt to retrieve all of the data by using many individual client devices to retrieve small portions of the data.
In one scenario, a rogue competitor creates an alternative application (such as a game), that is downloaded by a large number of users. Unknown to the users, the alternative application contacts the remote server and obtains a portion of the data on behalf of the user, then sends the data to a server owned by the rogue competitor. The rogue application would be designed to request different (possibly overlapping) pieces of data for each user. By aggregating the data sent by each user, the rogue application facilitates building a copy of the valuable information.
One way to avoid the problem is to require each user to have an account, and login each time data is retrieved. A user of the hypothetical rogue application would discover the attempt to retrieve data, and thus prevent the intended retrieval of information from the remote server. However, in many cases it is impractical to require a user to be authenticated. For example, users of GOOGLE MAPS would not want to set up a separate account and log in each time they wanted to use a map. Furthermore, some operating systems (such as the ANDROID operating system) specifically allow applications to use stored credentials, so a user might not discover an illicit use of the user's credentials.
What is needed is a method that allows individual users to access protected data on a remote server, does not require user input to authenticate the user or the user's device, and prevents a rogue application from impersonating the legitimate application.