Reputation: 11079
WCF Service (JSON) and Android client - message security
I have WCF service, that gets and returns JSON data. and Android mobile app, that calls this service.
- How do I encrypt messages between these two, if possible?
- If not, how to do custom encryption?
Edit:
Here is an additional information for server and client sides.
The service looks next:
Service interface:
<ServiceContract()>
Public Interface ITest
<OperationContract()>
<WebInvoke(Method:="POST", RequestFormat:=WebMessageFormat.Json, ResponseFormat:=WebMessageFormat.Json, BodyStyle:=WebMessageBodyStyle.WrappedRequest)>
Function Test(header As RequestHeader, body As TestRequestResponse) As Boolean
End Interface
Service code
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>
<ServiceBehavior(ConcurrencyMode:=ConcurrencyMode.Multiple, InstanceContextMode:=InstanceContextMode.Single)>
Public Class TestService
Implements ITest
Public Function Test(header As RequestHeader, body As TestRequestResponse) As Boolean Implements ITest.Test
Return True
End Function
End Class
Web.Config
<system.serviceModel>
<services>
<service behaviorConfiguration="RMWS.TestBehavior" name="RMWS.TestService">
<endpoint address="Test" binding="webHttpBinding" behaviorConfiguration="WebBehavior" bindingConfiguration="WebBinding" contract="RMWS.ITest" />
</service>
</services>
<bindings>
<webHttpBinding>
<binding name="WebBinding"/>
</webHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="WebBehavior">
<webHttp/>
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="RMWS.TestBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" httpHelpPageEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>
Client call
The client call currently made from javascript for testing only. In future a client will be android app, but the general idea is same.
$.ajax({
type: "POST",
url: "http://localhost/RMWS/TestService.svc/Test/Test",
contentType: "application/json",
dataType: "json",
data: JSON.stringify(somedata),
success: function (data)
{
...
},
error: function (httpRequest, textStatus, errorThrown)
{
alert(textStatus + ": " + errorThrown);
}
});
Edit 2:
I know it can be done easily with SSL. But in my company thinks it's too expensive for performance and traffic, so they don't want to use SSL, and instead do some other encryption. If possible, only requests may be encoded, as responses doesn't contain any sensitive info.
Edit 3:
Any other opinions except Joseph's answer?
Upvotes: 1
Views: 1565
Answers (1)
Reputation: 6653
SSL is the best bet if you want to carry on using JSON, you could obfuscate JSON but that would no longer be JSON and would be silly and would still be accessible to those who are really interested.
Your best bet is to send binary over to the device, you could encrypt that using pgp but the problem you would then have is storing a private key in an android app which in itself isn't very secure.
SSL is the safest bet.
Upvotes: 1
Related Questions
- Android connecting - WCF Service should return JSON
- WCF/basicHttp with message security interoperable with Java client?
- Returning JSON from WCF after POST in Android
- User Authentication
- Android JSON post to WCF Service
- How to secure WCF service which an Android app will use?
- Passing JSON object from Android Client to WCF Restful service in C#
- Android app communicating with WCF
- android - wcf rest service communication
- JSON WCF Security