Windows Mobile Secure Communication using WCF with SSL

• Download source code - 51.5 KB

Introduction

This is my first article and I have tried to make it really useful and interactive. In this enterprise world, various applications communicate with each other on various platforms. Securing this communication is a must and when it comes to business critical applications it is highly important. 

In this article we mainly focus on Windows Mobile device communication over SSL.  We will create a WCF service and smart device project using Visual Studio 2008. We will try to call this service from device application using HTTPS protocol.

Tools and technologies used 

• Windows Mobile 6 Professional  Emulator 
• .NET 3.5, Visual Studio 2008 
• Communication using WCF
• SSL Test Certificates. 

Background  

Generally all mobile devices are operated outside the network (safer) using public networks like GPRS, hotspots, etc. So device communication must be secure.

Using the code 

First of all we would see how the SSL implementation is useful. The following is a high-level description about how SSL works:

1. A client (normally a browser) requests a secure page (the URL begins with https://).
2. The Web server sends its public key, with its certificate, to the client.
3. The client checks that a trusted party (a Certification Authority [CA]) issued the certificate, that the certificate is still valid, and that the certificate is related to the site contacted.
4. The client uses the public key to generate an encryption key, and sends the encryption key to the server with the URL required (in an encrypted format).
5. The Web server decrypts the encryption key by using its private key, and then uses the key to decrypt the browser's request. The Web server sends back the requested data, which is encrypted with the key.
6. The client decrypts the data by using the encryption key, and uses the information (typically, the client displays the information through a browser).

Now the steps to be followed to implement secure communication:

• Create a WCF service and make it accessible over HTTPS. 
• Modify Host name.
• Create and install test SSL certificates.
• Create a smart device project and target Windows Mobile 6 Professional.
• Service proxy creation for above WCF service in device project.

1. WCF over HTTPS 

Create a WCF Service application say WCFHttpsTestApp using Visual Studio 2008 or above. By default the template will create two methods in your Service1.svc.cs file as:

public class Service1 : IService1
{
    public string GetData(int value)
    {
        return string.Format("You entered: {0}", value);
    }

    public CompositeType GetDataUsingDataContract(CompositeType composite)
    {
        if (composite.BoolValue)
        {
            composite.StringValue += "Suffix";
        }
        return composite;
    }
}

For this article I am not going to change this code.

Web config changes

By default the .NET Framework creates binding and endpoints compatible with HTTP only. To make it accessible over HTTPS you have to do the following changes:

Note: Security for WCF can be implemented in two ways: Message Level or Transport Level. For this article we are implementing Transport Level security.

• New EndPoint and Binding will be defined with Transport Security mode as shown below:
C#

<endpoint address="" binding="basicHttpBinding"
       bindingConfiguration="TransportSecurity"
       contract="WCFHttpsTestApp.IService1">
<bindings>
 <basicHttpBinding>
   <binding name="TransportSecurity">
      <security mode="Transport">
         <transport clientCredentialType="None"/>
      </security>
   </binding>
 </basicHttpBinding>
</bindings>  

As you see above, in the bindingConfiguration attribute, we define TransportSecurity which is nothing but a basicHttpBinding with security mode Transport.

Note: Here we are using BasicHttpBinding as the only standard binding supported by Windows Mobile clients is BasicHttpBinding.

• New Endpoint for mexHttpsBinding to exchange metadata over HTTPS. This endpoint is required while creating a proxy of this WCF service at client side.
C#

<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>

• In the serviceMetadata tag under serviceBehaviour, httpsGetEnabled should be true as:
C#

<serviceMetadata httpsGetEnabled="true"/>

Publish in IIS: Publish above created service in IIS server.

2. HostName Modification for HTTPS

When you host a WCF service in IIS, by default it takes localhost as its hostname in the web service URL. This localhost is not acceptable as a mobile client runs on a separate machine (emulator). Therefore we need to modify our hostname. Generally we use the computer name (like HCLMPPP-113) as the hostname.

We can modify the hostname using IIS Server and Visual Studio Command Prompt. For this article we are using the Visual Studio Command prompt.

cscript //nologo %systemdrive%\inetpub\adminscripts\adsutil.vbs set W3SVC/1/SecureBindings ":443:HCLMPPP-113" 

443 is the port for all HTTPS requests. Here we are modifying the hostname to HCLMPPP-113.

3. SSL Certificates

A WCF service has been well published so far but you will be able to browse this service with HTTP only. To browse it over HTTPS, you need to install the SSL certificate in the IIS server.

Note: The name of the SSL certificate should be the hostname you use above. Here it will be HCLMPPP-113.

Microsoft provides a utility to create test certificates, i.e., makecert.exe. I am going to use the same.

The following script will be used:

makecert -r -pe -n "CN= HCLMPPP-113" -b 01/01/2000 
  -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange 
  -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 

It will create an SSL test certificate with the name  HCLMPPP-113.

Now you need to install this certificate in IIS server as well as your Windows Mobile device.

Installation in IIS Server

1. Open Internet Information Services Manager MMC Snap-In.
2. Right-click the default web site and select Properties.
3. Select the Directory Security tab.
4. Click the Server Certificate button. The Web Server Certificate Wizard starts.
5. Complete the wizard. Select the option to assign a certificate. Select the HCLMPPP-113 certificate from the list of certificates that are displayed.

Now that the certificate has been created, you can browse your service using https://hclmppp-113/WCFHttpsTestApp/Service1.svc.

For more details, you can refer here.

4. Smart Device Application

Create a new Windows Mobile Smart Device application say HttpsDeviceTest from Visual Studio 2008 or above.

Add a textbox, button, and label to Form1. On click of this button, the GetData method of the WCF service will be called which takes a textbox data as parameter and prints a string result into the Label control, as shown below:

private void button1_Click(object sender, EventArgs e)
{
    try
    {
        if (textBox1.Text != String.Empty)
        {
            Service1Client client = new Service1Client();
            string data = client.GetData(Convert.ToInt32(textBox1.Text));
            label1.Visible = true;
            label1.Text = data;
        }
        else
        {
            MessageBox.Show("UserID is null!");
        }
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.Message);
    }
}

But this code will not work, as we didn't add any service proxy to this device project.

5. Service Proxy Creation

A proxy can be created in two ways:

• using Add Web Reference in device application.
• using NetCFSvcUtil.exe.

For this article we will use NetCFSvcUtil.exe to create the service proxy.

Steps:

• Locate the NetCFSvcUtil.exe file using the command prompt. Generally it will be found here: C:\Program Files\Microsoft.NET\SDK\CompactFramework\v3.5\bin.
• Create a proxy by using the service URL: https://hclmppp-113/WCFHttpsTestApp/Service1.svc.



• It will create two files - Service1.cs, CFClientBase.cs at this location: C:\Program Files\Microsoft.NET\SDK\CompactFramework\v3.5\bin.
• Copy and paste these two files in your device project.
• Now you will be able to call service methods over HTTPS. Let's start the engine and go for a smooth ride.

Conclusion

Windows Mobile applications often communicate with servers using WCF. So it's worth spending some time to understand the concepts related to secure communication so that no outsider can enter into our application logic. I have tried to make this article very simple for you guys. Hope you will like it and start implementing it.

Links 

• http://u_style.bg046.com/file.axd?file=2009%2F10%2FWCFGuidanceForMobileDevelopers.pdf
• http://www.codeproject.com/Articles/36157/4-steps-to-create-free-SSL-certificate-for-develop