1

I'm making app with VS 2017 and Xamarin. I plan to send username and password (in request body) to my server with httpClient (Android), PostAsync().

I have seen examples like the answer at Send HTTP Post request in Xamarin Forms C# and just wonder if there is a way to check that the data beeing sent is really encrypted. I know from https://blog.xamarin.com/securing-web-requests-with-tls-1-2/ that the httpClient would automatically encrypt messages.

Greetings

Valter Ekholm
  • 173
  • 2
  • 17
  • Are you using HTTPS/SSL? – SushiHangover Dec 13 '18 at 10:46
  • @SushiHangover On the server: yes – Valter Ekholm Dec 13 '18 at 11:31
  • @ValterEkholm Then rest assured it's encrypted. – Todd Menier Dec 14 '18 at 14:49
  • @Todd Menier I meant the data sent from an Android app to the server... now I plan to test Wireshark from the answer from James – Valter Ekholm Dec 15 '18 at 11:37
  • 1
    I understand what you meant. If you're calling an endpoint over HTTPS, the entire payload will be encrypted. Please read [how HTTPS works](https://robertheaton.com/2014/03/27/how-does-https-actually-work/) and understand that everything (the handshake, certificate exchange, key exchange, encryption) is all taken care of for you by virtue of the server and `HttpClient` understanding and implementing the protocol. If it's just an exercise in curiosity or convincing yourself, fine, but I wouldn't spend significant time testing that these things work - they do. :) – Todd Menier Dec 15 '18 at 15:35
  • Thanks, so I guess no data is sent before the "handshake"... by the way, the server had a self signed ssh – Valter Ekholm Dec 15 '18 at 17:37

1 Answers1

1

If you connect to your server using SSL the data you send will be encrypted. This can be achieved by simply using the https:// prefix when connecting to your server as opposed to the regular http prefix.

As you said that you are using SSL on your server I shall not go into the ins and outs of implementing it as it is very different on every platform. For anyone reading this in the future a great starting point is using LetsEncrypt if you're on a budget as it is free (although you do have to refresh your certificate every so often).

To verify that the data is encrypted you can use a program called Wireshark whilst debugging in an Android Emulator. The instructions are pretty clear within wireshark but on sending the request from your android phone select the domain/ip from the wireshark panel and view the information from that request. If you are using SSL right the data should be encrypted.

James Mallon
  • 1,107
  • 9
  • 25