User profile for user: Maike9
Maike9 Author
User level: Level 1
0 points

iPhone web service calls to WCF Service with Certificate Authentication

We are a .Net shop that has standardized on WCF Services. We are in the processs of developing an iPhone application that needs to make secure web services calls to obtain data for the app. To ensure secure communiations we have enabled SSL on our web servers. But this does not ensure the service can only be consumed by authorized apps. We have configured our services to support x509 certificate authentication. Is it even possible to call a secure WCF service with certifcate authentication from an IPhone app?

I have spent many hours searching the internet for examples but to no avail. I HAVE been able to successfuly call an un-secure WCF service with no issues. I have also done a lot of research on the WS-Security and WS-Trust communications standards. I believe I understand how this should work. I am just having trouble piecing together the steps/objects within the iPhone frameworks I need to make this work.

Any thoughts and ideas on the subject would be greatly appreciated.

Also, any thoughts on any of the following:

1. How best to deploy the P12 certifcate file with the iPhone application
2. How best to secure the password for the P12 file within the app
3. Is deploying the P12 file with the app a best practice
4. Are there facilties within the iPhone frameworks to support this kind of secure communication? If not, what would be an alternative recommendation.

Mac Book Pro, iPhone OS 3.1.2, iPhone WCF x509 Certificate Authentication

Posted on Feb 11, 2010 5:40 AM

Reply
4 replies
User profile for user: J D McIninch
J D McIninch
User level: Level 5
4,091 points

Feb 11, 2010 6:26 AM in response to Maike9

While .Net and WCF don't "play nice" many times, they shouldn't be a problem here.

You'll want to refer to and understand the Apple documentation relative to these classes, but essentially your iPhone app code needs to load the SecIdentityRef and SecCertificateRef from your P12 file (yes, I think you need to read the file yourself, there's not a single API call that does the magic for you) and add them to an NSURLCredential object. Use that with an NSURLConnection or ASIHTTPConnection and it should work just fine.

As for the password for the P12 cert... That's up to you.

Is it best-practice? It's an uncommon practice, but mostly because few people secure their applications in this way. For most applications, it's just overkill. More common might be plain SSL with a challenge-response approach. Most common, of course, is no application authentication since the service is either open or relies on user authentication.

The facilities certainly do exist on the iPhone, it's just that they: require you to manually read in your cert and associated the credentials with the connections (as opposed to having a single call do it for you all at once). The manual load of credentials adds flexibility, but at the expense of simplicity.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iPhone web service calls to WCF Service with Certificate Authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up