Motivated Motivated - 27 days ago 12
C# Question

Securing Xamarin.Forms App traffic via SSL

For my

Xamarin.Forms
application I've created a
ASP.NET Web API
as a backend to handle serverside stuff.

When it comes to security I'm pretty much lost.
I've read alot of articles containing alot of possibilities such as
HCMA
,
OAuth
and others.

For my purpose I think just
SSL/Https
will do the job.

I just have no idea where to start. All the documentation I've read didn't help me...

Does anyone know a place where I can get some help or can anyone describe what to do to get this done ?

As far as I know I got to create a
SelfSignedCertificate
.
But where do I put it ?
Inside of my App(Resources)?


Please provide me some help.
Anything is highly appreciated.




EDIT 1:

As by now I have create a Custom Attribute
EnforceSSL
in my WebAPI.

All my WebRequests in my App are now
HttpsWebRequests
.

Does this mean all my traffic is secured ?

As far as I could find out in order to secure my API/Website I need a
SSL-Certificate
. I can either create one or buy one ... (is this correct) ?


I guess I need to inclued this in my
IIS
, where my
API
runs.

Do I need any Client Certificate which I have to install on the phones which use my app ?

Answer

I dont want this to go unanswered, in future for general security questions http://security.stackexchange.com is the place.

For my purpose I think just SSL/Https will do the job.

That's right use HTTPS (HTTP Secure). You can configure the webserver to redirect all http:// to https:// automatically. Follow this TechNet guide to Configuring Server Certificates in IIS 7.

I'd also recommend you test your web services out with https://www.ssllabs.com/ssltest/ that grades how secure your web site/service is. SSLLabs mainly catches TLS 1.1 vulnerabilities so make sure you're on the latest TLS to get a Grade A. TLS is basically the same thing as SSL. SSL 3.0 was the last version of SSL. TLS – Transport Layer Security, a new name for SSL. TLS 1.0 is colloquially considered “SSL 3.1”. Created and maintained by Internet Engineering Task Force. The latest version is TLS 1.2 and TLS 1.3 is currently in draft format.

All my WebRequests in my App are now HttpsWebRequests. Does this mean all my traffic is secured?

Nothing is 100% secure, but it sounds like you're following the recommended practices: https://developer.xamarin.com/guides/cross-platform/macios/http-stack/

Do I need any Client Certificate which I have to install on the phones which use my app?

What you're thinking of is called Certificate Pinning and https://forums.xamarin.com/discussion/8743/self-signed-cert-using-httpclient


The 3 most common mistakes to securing a mobile app are:

  1. Hardcoding keys into source code:

enter image description here

  1. Not using encryption correctly:

enter image description here

  1. Not using HTTPS.

Securing Mobile Apps is such a large subject - there are entire books on the topic. At the very least read up on: OWASP Mobile Security Project: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project and
Secure Coding Guidelines for iOS and Android: https://mgovlab.government.ae/uploads/SecureCodingGuidelines.pdf and make sure you've covered off the top 10 vulnerabilities:

  1. Store local data securely
  2. Protect remote data transportation
  3. Implement appropriate authentication
  4. Audit third-party code and services
  5. Respect user data
  6. Protect from reverse engineering
  7. Secure web services and servers
  8. Validate input and interprocess communications
  9. Avoid exploitable code errors
  10. Distribute an application securely

When you package your application follow the offical Xamarin guide, pay attention to ProGuard.

https://developer.xamarin.com/guides/android/deployment,_testing,_and_metrics/publishing_an_application/part_1_-_preparing_an_application_for_release/