locked
SSL certificate validations in Windows Phone RRS feed

  • Question

  • How do I validate an SSL certificate from a Windows Phone application? I need to check for criteria like Certificate Issuer Name, Expiry date, Host name match, Certificate chain etc. programmatically from the app. Are these checks handled by the OS itself for trusted certificates? How can I do these validations for self-signed certificates?
    Wednesday, October 9, 2013 6:31 AM

Answers

All replies

  • There is no way to do this as the OS takes care of this.  You cannot validate a self-signed certificate, that type of certificate is just as secure as having no cert at all!

    What is your business requirement to do this?  Perhaps there is another way to accomplish what you are doing?


    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Thursday, October 10, 2013 8:08 PM
  • My business requirement is to make sure that SSL implementation is done properly and if not, implement the checks and validations on the client side.
    Wednesday, October 16, 2013 4:48 AM
  • hi jelf,

    I have the same requirement. mine is banking application on WP7 &8 and I need to validate SSL certificate of server on client side. I implemented SSL validation on android and ios platform. Why there is nothing like that on Windows platform??

    Is there any other way to validate the same and ensure secure communication?

    or can You suggest me any third party free library?

    thanks in advance.

    Tuesday, November 12, 2013 10:26 AM
  • There is no way to do this because the phone OS handles this for you.

    I cannot recommend any 3rd party libraries since that would imply an endorsement from Microsoft.  Sorry!

    If you search for libraries you will find several however!


    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Monday, November 18, 2013 3:04 PM
  • Thanks for your reply Jeff.

    can you please suggest any way to avoid Man in the middle attack(MiTM) on Wp.

    the main reason to implement SSL pinning is to ensure there is no MiTM.

    But WP OS doesn't guaranty full proof security against  MiTM.

    Wednesday, November 27, 2013 6:30 AM
  • The only way for a MITM attack to succeed would be to trust that 3rd party cert.  If a user installs and trusts a 3rd party cert on that device that compromises the entire system.  That is not something that can be done automatically on the WP platform.

    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Wednesday, November 27, 2013 12:49 PM
  • thanks Jeff for your quick reply.

    but let assume scenario if anyhow that 3rd party cert is in Device, then my app is definitely prone to MiTM. 

    In this scenario how can I ensure security of my app from MiTM?

    All my are  Https i.e. SSL implemented.

    Thanks in advance

    Wednesday, November 27, 2013 2:20 PM
  • You cannot with the existing APIs.   If you wish to implement something more you need to consider 3rd party libraries.

    Jeff


    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Wednesday, November 27, 2013 2:28 PM
  • Hi Mandar,

    Have you got any solution for this. We are trying to find out this from long back. Please share your comments if you find any.

    Thanks in advance


    developer@voxvalley

    Friday, November 28, 2014 5:49 AM