none
[WPSL] How to avoid untrusted Http request from windows phone silverlight app RRS feed

  • Question

  • Hi, 

    I want to make secured http requests from my app always. I created SSL certificate and installed using following API. This allowed to make secured calls. 

    Windows.Security.Cryptography.Certificates.CertificateStores.TrustedRootCertificationAuthoritiesAdd(myCertificate);

    But the unsecured calls are still are allowed through my App.

    Example: 

    I have installed certficate for abc.com and hit a service with url xyz.com over https then service call should fail stating cannot access. It is expected to allow only abc.com over https.

    Can we do this on windows phone silverlight? If possible, please help me to find the solution.

    Thanks,


    Pallam Madhukar Windows Phone Developer

    • Edited by Fred Bao Thursday, February 11, 2016 3:17 AM add the tag
    Wednesday, February 10, 2016 10:48 AM

Answers

  • Thanks Fred,

    I have created one more thread here. Now It is solved for at least Windows Phone 8.1

    Thanks.


    Pallam Madhukar Windows Phone Developer

    • Proposed as answer by Fred Bao Tuesday, February 23, 2016 1:07 AM
    • Marked as answer by Fred Bao Tuesday, February 23, 2016 8:47 AM
    Monday, February 22, 2016 7:22 PM

All replies

  • I really dont understand what you are asking.  Cant you just use code to validate your app is only calling https://abc.com?
    Wednesday, February 10, 2016 12:02 PM
  • I may be misunderstanding what you are trying to do, but it sounds like you just need to control this via the logic in your app.

    Does you app allow users to enter the URL they want to access, or do you have full control over it? If you have full control over which URL will be called (i.e this is all done from code, and the user can't enter a URL) then your app shouldn't make a call directly to any URLs other than the ones you've told it to.

    Adding a certificate to the trusted root won't stop calls to other sites over SSL working - The default trusted route authority certificates will still be on the device unless you've found a way to remove them

    Could you provide further details of what your app does, and why you need the calls to fail?


    If I have answered your question, please mark it as the correct answer. If I have provided helpful information, please mark it as so.

    Wednesday, February 10, 2016 12:05 PM
  • Hi Daniel,

    My Project is an Portable class library, Which will be used banking apps. So my customers are asking to restrict the un-certified URL requests has to be failed. As you said there are two options:

    1. Removing default trusted authority certificates for my app or my http request.

        i. Is this possible in windows phone 8/8.1 silverlight? If It is possible please help me to implement.

        ii. If it is not possible removing trusted authority certificates, Then the 2nd option is recommended way to do? With the 2nd option , Is there any chances to get issues?

    2. Restrict the other URLs other than certified URL: 

        Please explain me in more details. OR You mean to say, extract certificates & before calling any http request check the request base URL is certified?

    Thanks,


    Pallam Madhukar Windows Phone Developer

    Thursday, February 11, 2016 6:29 AM
  • Hi Ken Tucker

    Can please help me here?

    Any suggestion is more value to me. I just want to try all the possibilities? 

    Thanks.


    Pallam Madhukar Windows Phone Developer

    Saturday, February 13, 2016 11:42 AM
  • Hi Daniel, Please Can you check this?

    Pallam Madhukar Windows Phone Developer

    Monday, February 15, 2016 6:19 AM
  • >>But the unsecured calls are still are allowed through my App.

    I think the only is to restrict the other URLs other than certified URL, I think this means you check these incoming URL and to see if it is in the allowed scope, it not, just reject it in your project.

    Tuesday, February 16, 2016 8:32 AM
  • Hi,

    Thanks for reply. My customer will provide a certificate to my library. Can I get the domain URL from certificate using code?

    Thanks,


    Pallam Madhukar Windows Phone Developer


    Tuesday, February 16, 2016 11:18 AM
  • >>My customer will provide a certificate to my library. Can I get the domain URL from certificate using code?

    The certificate does not have the association with the request URL. You could firstly collect allowed domain names and save them into your project or a local file.

    Wednesday, February 17, 2016 1:30 AM
  • Hi

    Thanks for confirming option 2.

    Any idea regarding option 1?

    New options:

    1. Do we have any Network API to provide only few certificates(Note: It should not take default certificates)? Like Android has TrustManager.

    2. Do we have any Network API to check manually like iOS, Where we receive "didReceiveChallenge" callback and manually verifying the certificates?

    Thanks,


    Pallam Madhukar Windows Phone Developer

    Wednesday, February 17, 2016 6:19 AM
  • Hello Pallam Madhukar,

    Suggest to open new thread to ask different questions.

    >>But the unsecured calls are still are allowed through my App.

    How do you check there are untrusted calls from your app? In my mind, it should be there is a input to accept the calls, you could just check the call url to ensure if there are allowed(for example, as GalleryIsUsed also metiones, you could save allowed domain name previously and check the incoming calls to see if they are allowed).

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

    Thursday, February 18, 2016 1:57 AM
  • Thanks Fred,

    I have created one more thread here. Now It is solved for at least Windows Phone 8.1

    Thanks.


    Pallam Madhukar Windows Phone Developer

    • Proposed as answer by Fred Bao Tuesday, February 23, 2016 1:07 AM
    • Marked as answer by Fred Bao Tuesday, February 23, 2016 8:47 AM
    Monday, February 22, 2016 7:22 PM