Encrypted JSON Strings Over SSL for Webservice Security

Question

I have a scenario where users are Uploading Transactions logs to Main Server Via ASMX Webservice. The application is clickonce .Net winforms app

Currently I am doing this To convert to List of Object to Json and Deserialize it on Service. over the SSL.

string data = JsonConvert.SerializeObject(Values_Static.logitems);

My Code is protected by SmartAssembly . And still I am getting some breach that attacker have access to the Network Connections and Can Deserliaze the Data.

Now i am thinking of a Scenario that I Encrypt the Json String with some private string key and then decypt it on the server .

e.g

private string salt = "$e7?8f@l4";
return ByteArrToString(Encrypt(TextValue + salt)); 

Hardcode the key in app and decode it in server.

will it work ? Users are uploading the the logs to server every minute and there are possibly 20-30 entries per Upload. is there any chances of broken Data or still the hacking ?

UPDATE : According to Discussion Below . I understand that there is some issue with my Code. The code is accepting the invalid certificate . How i Can prevent to Accept only Valid Certificate from my https:// Web service . ATM , every one can see the code through fiddler with Decryption HTTPS on .

I have a valid Certificate installed on my IIS 7. and its working properly the issue is with code. and its standard auto generated web reference in Visual Studio.

UPDATE 2 : The Final Result is , The Post data is not Encrypting , its Plain XML and readable by any software that can sniff , however the GET data is secure . I had serached bit not found some valid Answer.

Answer 1

Fiddler (or other HTTPS proxies) can decrypt any HTTPS traffic.

You could prevent simple use of Fiddler by requiring a specific server certificate in your client code (rather than trusting any certificate the system itself trusts). However, this is only a weak deterrent because the user could just decompile your code and alter it so that your new certificate check is neutered.

This is called the "Untrusted client" problem, and it's the same thing that makes Digital Rights Management (DRM) software a "best effort" affair rather than an ironclad protection.

Answer 2

Are you using SSL? If so, any application-level encryption is redundant. And, the key will have to be embedded in the code, so is readable by any attacker.