Security on the Brain Security is something we all know is important, but is it something that we always do? Most likely, not always. That’s partially because security is complex and takes time to implement. Many of you, these days, don’t have that time (it’s all about shortest time-to-market, right?) to think about security. You make sure that minimal security checks and balances are there, but that’s about it. Totally understand. But security doesn’t have to be complex to implement once you know what you have already available to you in the frameworks and products that you use every day. Over the course of the next few weeks, check back often as we’ll be demystifying different aspects of application security, simple things you can do to protect your applications, how to use the tools and frameworks you’re already using as your lines of defense against hacking, and more. Feel free to start or join discussions in the Canadian Developer Connection LinkedIn group to give and receive thoughts and feedback on these or any other topics from fellow Canadian developers and experts.
In continuation of his post from yesterday, Building Secure Windows Phone 8 Apps – The Platform, in this Mark Arteaga goes over some of the APIs and techniques that can help you secure your apps and give your users a safe feeling when using your apps.
Guest post by Mark Arteaga, Microsoft MVP
In my previous post, I covered some of the security features from a platform level available with Windows Phone 8. In this post, I’ll go through some of APIs available to help secure your applications, what Windows Phone gives you out of the box and also various ways to secure your applications.
SSL certificates allow you to connect securely to a backend webserver by encrypting the communication channel using the HTTPS protocol. Depending on your use case, you may want to implement an SSL certificate in your backend web services to make it difficult to intercept and decipher the data being sent by your app.
For example, if are building a game and have a leader board in the backend, you may want to encrypt this channel to prevent someone from submitting some false data.
As a developer, there is nothing special you have to do in your code when accessing a secure URL other than making sure you use the HTTPS protocol instead of HTTP which is not secure. For example
You should be aware that not every SSL certificate will work on Windows Phone and you should verify the certificate authority
I buy my certificates form K-Software which is a reseller of Comodo (but a lot cheaper) and have not had a problem with these. But whatever you buy, verify with the lists above.
Some applications may want to authenticate and authorize users to allow access into certain features of their app. Some methods I have used in the past are
Although I don’t have sample code, these can easily be accomplished using a combination of HttpWebRequest, HttpRequestHeader and the WebHeaderCollection classes. Whenever using these types of authentication, you should use the HTTPs protocol to secure the communication channel. If you don’t, user information gets sent in plain text or Base64 encoded in the case of Basic Authentication.
Most Windows Phone apps will store some kind of data locally and whether you are saving files or a database to isolated storage. In some circumstances you may want to protect the data by encrypting the files or database.
Encrypting a database is pretty straight forward and all you essentially have to do is provide a password in your connection string as follows
You should be aware, that if someone should decompile your code, they may get access to the password and be able to decrypt the database. With the Windows Phone platform security features put in place, this will be more challenging, but you may still want to not hardcode this password and possibly use the users “hashed username” or some other mechanism as the database password instead.
In the past, using the classes in System.Security.Cryptography was how developers could encrypt their data when saved to Isolated Storage. If you implemented this by hardcoding your salt and password inside your code, then whatever you saved to isolated storage was not really secure as the salt and password could still be obtained.
The Data Protection API or DPAPI helps solve this by generating and storing a cryptographic key by using a combination of the user and device credentials. This key is in turn used to encrypt and decrypt any data you pass it. Also, every key that is created is unique to every app, so these keys cannot be interchanged.
Using DPAPI is pretty straight forward and you will find it under System.Security.Cryptography.ProtectedData class and using the Protect and Unprotect methods. Here is an example use for encrypting some data
Sending push notifications are a great way to stay engaged with your users and get them to keep opening your app, especially if the app revenue model is ads. MSDN covers how to send push notifications for Windows Phone extensively but when your app goes production, it is recommended you use an authenticated web service to send push notifications to Windows Phone over HTTPS and not just HTTP. Not only is it more secure, but non-authenticated web services are rate limited to 500 push notifications per subscription day whereas authenticated web services are not throttled at all.
In the previous post I went over some of the platform security features available on Windows Phone to help protect users and a Windows Phone developers work. In this article I described some of the APIs and techniques available on Windows Phone to help secure your applications such as HTTPs, database encryption and cryptography.
Again, these posts do not cover everything on security but it should be enough to get your started on securing your apps or if you have not thought about it before to start thinking about it. Be sure to read over Building Secure Windows Store Apps as those techniques and concepts are definitely valid on Windows Phone.
As always, if you have any specific questions or concerns about Windows Phone app security, how to implement any of these, or if you read something that you want to find more about, feel free to start a new discussion in the Canadian Developer Connection LinkedIn group. Mark, community experts, and your fellow Canadian developers are there to answer and share.
This post is cross-posted from Mark Arteaga’s blog.
Any ideas on what optionalEntropy should be ideally in DPAPI ProtectedData.Protect() - msdn.microsoft.com/.../hh133538(v=vs.105).aspx … ? I see 'null' in almost every example. This seems to be the worst idea. What are your thoughts on this ? Which crypto algo is used ?
Guess it depends on how much security you require. If you add the Entropy, it will provide additional complexity as MSDN says. I have never used it as I have never had a need for it. Just remember to us it when decrypting also.