Top 7 Things to Know About Web Service Security for Windows Phone

Introduction

As an increasing number of mobile applications trend toward web services for making the applications appear "live", it is important that the requests that the application makes consider adequate security procedures. Let's understand some of the things that a Windows Phone developer should consider when designing a Windows Phone application.

Only Basic Authentication is Supported

The Windows Phone 7 platform is based on Silverlight 3. However, the Silverlight platform for Windows Phone 7 only supports basic authentication. This means that Silverlight 4 networking features such as NTLM authentication, UDP multicast client, and WCF RIA services are not supported for Windows Phone 7.

WCF Data Services Are Not Supported

Previously called ADO.NET data services, Windows Phone 7 operating system does not support WCF data services.

JSON Serialization Support

Windows Phone 7 platform does not support complete JSON serialization. However, partial serialization support is available through the DataContractJsonSerializer class.

Sockets and Custom Bindings

Sockets and custom bindings are not supported in Windows Phone 7 operating system.

Basic Authentication and HTTPS

Since Windows Phone 7 operating system only supports basic authentication, it makes the scenario of HTTPS calls more interesting. To exercise the HTTPS scenario, you need to have an HTTP connection over a Secure Sockets Layer (SSL) or Transport Later Security (TLS) connection.

You achieve this by specifying a URL starting with https://, and Windows Phone platform takes care of the underlying wiring. When you make a call to an https://" endpoint, Windows Phone checks the certificate returned by the web service and verifies that the certificate is from a trusted authority. Once this is verified, further communication takes place in an encrypted environment.

Mutual Authentication Not Supported

Windows Phone lets you install trusted certificates on the device. However the Windows Phone platform does not expose the certificate values to applications running on the device. This limits the application from implementing mutual authentication scenarios.

Promoting For Credentials

Safe programming practices dictate that it is most secure to prompt the user for credentials when the scenario demands one. However, applications today in the name of usability allow storing for credentials on the device itself so that applications can use them without prompting a user. When storing credentials on a phone, please be sure to apply appropriate encryption.

Summary

In this article, we learned a few important things every application developer should know about security using web services in their Windows Phone application.



About the Author

Vipul Vipul Patel

Vipul Patel is a Software Engineer currently working at Microsoft Corporation, working in the Office Communications Group and has worked in the .NET team earlier in the Base Class libraries and the Debugging and Profiling team. He can be reached at vipul_d_patel@hotmail.com

Related Articles

Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: October 29, 2014 @ 11:00 a.m. ET / 8:00 a.m. PT Are you interested in building a cognitive application using the power of IBM Watson? Need a platform that provides speed and ease for rapidly deploying this application? Join Chris Madison, Watson Solution Architect, as he walks through the process of building a Watson powered application on IBM Bluemix. Chris will talk about the new Watson Services just released on IBM bluemix, but more importantly he will do a step by step cognitive …

  • On-demand Event Event Date: October 23, 2014 Despite the current "virtualize everything" mentality, there are advantages to utilizing physical hardware for certain tasks. This is especially true for backups. In many cases, it is clearly in an organization's best interest to make use of physical, purpose-built backup appliances rather than relying on virtual backup software (VBA - Virtual Backup Appliances). Join us for this webcast to learn why physical appliances are preferable to virtual backup appliances, …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds