Protect WCF from fiddler (MITM) (PCL XAMARIN FORMS)

Question

I have xamarin forms project using portable class library. In that PCL I reference my WCF service which is hosted in some server.

The wcf binding is Basichttpbinding with security transport as PCL does not support wshttpbinding.

Also the wcf is use https and i have a valid certificate for that.

I want to secure the messages because now if i install some kind of application fiddler or packed monitor in my android every call to my service i can see the xml data in readable format.

I thought by using https i was protecting that. I try use wcf TransportWithMessageCredential but it failed to login to my service because xamarin does not yet support this combination

So: ( after research i found out that )

• PCL does not support wshttpbinding only basicHttpBinding
• Xamarin.Forms basicHttpBinding does not support message security but only TransportCredentialOnly

And

• Xamarin does not support TransportWithMessageCredential but only transport security but transport security not protecting the data from MITM.

How others working with xamarin forms and protect these data? Do i missed anything? Any suggestions?

EDITED

---

I am trying to encrypt the xml request before send to service but fails every time i change the message e.g from xml to encoded characters (i guess because the server fails to recognize the schema )

I have implement IClientMessageInspector at the client Side as also IDispatchMessageInspector at the server side.

I need some help how i can send the xml request encrypted to the server.. if i do it here then i can decode it from service side ( server)

At the client side i have the following

  Public Function BeforeSendRequest(ByRef request As Message, channel As IClientChannel) As Object Implements IClientMessageInspector.BeforeSendRequest

    Dim Binding As New BasicHttpBinding(BasicHttpSecurityMode.Transport)

    Dim ms As MemoryStream = New MemoryStream(System.Text.Encoding.UTF8.GetBytes(EncryptedData(request.ToString)))

    Dim RQuotas As Xml.XmlDictionaryReaderQuotas = Binding.ReaderQuotas

    Dim reader = Xml.XmlDictionaryReader.CreateTextReader(ms, RQuotas)
    request = Message.CreateMessage(reader, Int32.MaxValue, request.Version)


    Return Nothing

End Function

I am not sure if i do it correctly. Any help welcome.

Answer 1

Fiddler only decrypts Https Traffic if you accept its certificate, it basically acts a man in the middle and handles all the calls from the service to your app, there is some useful info here https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS ,

---

On your second update of the question, you would need to create a container that will house all your messages, that way you can decrypt and encrypt the data as you see fit,

A simple example can be found at https://misaxionsoftware.wordpress.com/2011/07/29/secure-restful-web-service-by-wcf-web-api-no-https-seriously/

You can customise it as much as possible

Here is the message that is defined in the link above

Message

public class Message
{
    public string AppId { get; set; }

    public string Data { get; set; }

    public string Id { get; set; }

    public string TimeStamp { get; set; }

    public byte[] GenerateFingerprint();

    public bool ValidateHash(byte[] fingerprint);
}

Encrypted Message

public class EncryptedMessage
{
    public string AppId { get; set; }

    public byte[] Fingerprint { get; set; }

    ///<summary>
    /// The 3DES key used to encrypt/decrypt the message 
    /// </summary>
    public byte[] Key { get; set; }

    ///<summary>
    /// Encrypted message
    /// </summary>
    public byte[] Message { get; set; }
}

IEncryptionHelper

public interface IEncryptionHelper
{
    EncryptedMessage Encrypt(Message message);

    Message Decrypt(EncryptedMessage encryptedMessage);
}