As an increasing number of mobile applications trend toward
web services for making the applications appear “live”, it is important that
the requests that the application makes consider adequate security procedures.
Let’s understand some of the things that a Windows Phone
developer should consider when designing a Windows Phone application.
Only Basic Authentication is Supported
The Windows Phone 7 platform is based on Silverlight 3. However, the
Silverlight platform for Windows Phone 7 only supports basic authentication.
This means that Silverlight 4 networking features such as NTLM authentication, UDP multicast client, and WCF RIA services are not
supported for Windows Phone 7.
WCF Data Services Are Not Supported
Previously called ADO.NET data services, Windows Phone 7
operating system does not support WCF data services.
JSON Serialization Support
Windows Phone 7 platform does not support complete JSON serialization. However, partial
serialization support is available through the DataContractJsonSerializer
Sockets and Custom Bindings
Sockets and custom bindings are not supported in Windows
Phone 7 operating system.
Basic Authentication and HTTPS
Since Windows Phone 7 operating system only supports basic
authentication, it makes the scenario of HTTPS calls more interesting. To
exercise the HTTPS scenario, you need to have an HTTP connection over a Secure Sockets Layer (SSL)
or Transport Later Security
You achieve this by specifying a URL starting with
the underlying wiring. When you make a call to an ”
endpoint, Windows Phone checks the certificate returned by the web service and
verifies that the certificate is from a trusted authority. Once this is
verified, further communication takes place in an encrypted environment.
Mutual Authentication Not Supported
Windows Phone lets you install trusted certificates on the
device. However the Windows Phone platform does not expose the certificate
values to applications running on the device. This limits the application from
implementing mutual authentication scenarios.
Promoting For Credentials
Safe programming practices dictate that it is most secure to
prompt the user for credentials when the scenario demands one. However,
applications today in the name of usability allow storing for credentials on
the device itself so that applications can use them without prompting a user.
When storing credentials on a phone, please be sure to apply appropriate
In this article, we learned a few important things every
application developer should know about security using web services in their
Windows Phone application.