In a previous article I covered some of the security features from a platform level available with Windows Phone 8. In this article, I’ll go through some of APIs available to help secure your applications, what Windows Phone gives you out of the box and also various ways to secure your applications.
Secure Sockets Layer
SSL certificates allow you to connect securely to a backend webserver by encrypting the communication channel using the HTTPS protocol. Depending on your use case, you may want to implement an SSL certificate in your backend web services to make it difficult to intercept and decipher the data being sent by your app.
For example, if are building a game and have a leader board in the backend, you may want to encrypt this channel to prevent someone from submitting some false data.
As a developer, there is nothing special you have to do in your code when accessing a secure URL other than making sure you use the HTTPS protocol instead of HTTP which is not secure. For example
WebClient webClient = new WebClient();
webClient.UploadStringCompleted += webClient_UploadStringCompleted;
webClient.UploadStringAsync(new System.Uri("https://www.mysecureapp.com/api/v1/uploadscore"), newScore);
You should be aware that not every SSL certificate will work on Windows Phone and you should verify the certificate authority
- SSL root certificates for Windows Phone OS 7.1
- Windows and Windows Phone 8 SSL Root Certificate Program (Member CAs)
I buy my certificates form K-Software which is a reseller of Comodo (but a lot cheaper) and have not had a problem with these. But whatever you buy, verify with the lists above.
User Authentication
Some applications may want to authenticate and authorize users to allow access into certain features of their app. Some methods I have used in the past are
- Basic Authentication
- Authentication via a web service
- Forms Based Authentication
Although I don’t have sample code, these can easily be accomplished using a combination of HttpWebRequest, HttpRequestHeader and the WebHeaderCollection classes. Whenever using these types of authentication, you should use the HTTPs protocol to secure the communication channel. If you don’t, user information gets sent in plain text or Base64 encoded in the case of Basic Authentication.
Encrypting Local Data
Most Windows Phone apps will store some kind of data locally and whether you are saving files or a database to isolated storage. In some circumstances you may want to protect the data by encrypting the files or database.
Encrypting a Database
Encrypting a database is pretty straight forward and all you essentially have to do is provide a password in your connection string as follows
MyDataContext db = new MyDataContext("Data Source='isostore:/mydb.sdf';Password='securepassword';");
You should be aware, that if someone should decompile your code, they may get access to the password and be able to decrypt the database. With the Windows Phone platform security features put in place, this will be more challenging, but you may still want to not hardcode this password and possibly use the users “hashed username” or some other mechanism as the database password instead.
Data Protection API
In the past, using the classes in System.Security.Cryptography was how developers could encrypt their data when saved to Isolated Storage. If you implemented this by hardcoding your salt and password inside your code, then whatever you saved to isolated storage was not really secure as the salt and password could still be obtained.
The Data Protection API or DPAPI helps solve this by generating and storing a cryptographic key by using a combination of the user and device credentials. This key is in turn used to encrypt and decrypt any data you pass it. Also, every key that is created is unique to every app, so these keys cannot be interchanged.
Using DPAPI is pretty straight forward and you will find it under System.Security.Cryptography.ProtectedData class and using the Protect and Unprotect methods. Here is an example use for encrypting some data
// Convert the text to a byte[].
byte[] text = Encoding.UTF8.GetBytes("text to encrypt");
// Encrypt the text by using the Protect method passing optional salt
byte[] protectedText = ProtectedData.Protect(text, null);
// TODO do something with the data like writing it to a file
To decrypt the data is just as simple
// TODO get encrypted text byte from somewhere (ie iso store) byte[] protectedText = ReadTextFromSomewhere(); // Decrypt the text by using the Unprotect method. byte[] textByte = ProtectedData.Unprotect(protectedText, null); // Convert the PIN from byte to string and display it in the text box. var text = Encoding.UTF8.GetString(textByte, 0, textByte.Length);
Push Notifications
Sending push notifications are a great way to stay engaged with your users and get them to keep opening your app, especially if the app revenue model is ads. MSDN covers how to send push notifications for Windows Phone extensively but when your app goes production, it is recommended you use an authenticated web service to send push notifications to Windows Phone over HTTPS and not just HTTP. Not only is it more secure, but non-authenticated web services are rate limited to 500 push notifications per subscription day whereas authenticated web services are not throttled at all.
Conclusion
In the previous article I went over some of the platform security features available on Windows Phone to help protect users and a Windows Phone developers work. In this article I described some of the APIs and techniques available on Windows Phone to help secure your applications such as HTTPs, database encryption and cryptography.
Again, these articles do not cover everything on security but it should be enough to get your started on securing your apps or if you have not thought about it before to start thinking about it. Be sure to read over Building Secure Windows Store Apps as those techniques and concepts are definitely valid on Windows Phone.
Solid round-up article on security techniques. I’d add OAuth to Authentication.