HTTPS guidance

MigueldeIcazaMigueldeIcaza USXamarin Team Xamurai
edited October 2015 in General

Hello,

Xamarin developers have a spectrum of choices when it comes to their HTTPS clients, these are the options available today:

HttpWebRequest/WebClient, the original .NET HTTP API that provides support for HTTP and HTTPS, highly configurable, but difficult to use.

  • Pros:

    • You get NTLM for free
    • You have code that uses it from many years ago
  • Cons:

    • On iOS, you need to turn on the 3G radio using StartWWWLan method
    • Currently only supports up to TLS 1.0, hopefully early next year we will upgrade our entire stack to support 1.2: http://tirania.org/blog//archive/2015/Aug.html
    • No support for HTTP 2.0
    • Old API design, no beautiful Async for you.

HttpClient: this is an abstraction of the HTTP stack, and by default, this uses HttpWebRequest, but you can use any provider you want.
* Pros and Cons depend on which provider you use. If you use HttpWebRequest, you get the pros and cons of it, if you use another provider, those would apply.

ModernHttpClient: this is a provider developed by Paul Betts and available as a component. It provides an HttpClient interface that is backed on iOS by the operating system's NSURLSession, so you get background downloads for free, HTTP 2.0, and support for the latest TLS implementation; On Android you get support for HTTP 2.0 and the latest TLS implementation

  • Pros:

    • Latest TLS support
    • HTTP 2.0
    • Lovely Async-based API
    • On iOS, this automatically turns on the 3G radio
  • Cons:

    • On iOS 9, you need to make sure your servers are secured, or list exceptions to insecure servers in your Info.plist
    • NTLM support is something you have to roll on your own.
    • HttpClient-based APIs are not as configurable as HttpWebRequest

We strongly recommend the use of ModernHttpClient, we like it so much that we are going to be switching our default HttpClient transport in the future to use the ModernHttpClient provider on iOS and build a native provider for Android to go along with it.

Posts

  • KMullinsKMullins USMember, Xamarin Team Xamurai

    For those interested in implementing ModernHttpClient on iOS 9, I'd like to expand on the following Con:

    "On iOS 9, you need to make sure your servers are secured, or list exceptions to insecure servers in your Info.plist"

    In iOS 9 and OS X El Capitan, Apple added a new App Transport Security (ATS) feature that enforces secure connections between internet resources (such as the app's back-end server) and your app.

    Because ATS is enabled by default in iOS 9 and OS X El Capitan, if your Xamarin.iOS app or any library or service it is using makes connection to the internet, you'll need to take some action or your connections will result in an exception being thrown.

    For an existing app, Apple suggests you support the HTTPS protocol as soon as possible. If you either can't because you are connecting to a 3rd party web service that doesn't support HTTPS or if supporting HTTPS would be impractical, you can opt-out of ATS. See the Opting-Out of ATS section of our App Transport Security (ATS) documentation for more details.

    For a new Xamarin.iOS app, you should use HTTPS exclusively when communicating with internet resources. Again, there might be situations (like using a 3rd party web service) where this isn't possible and you'll need to opt-out of ATS.

  • FredyWengerFredyWenger CHInsider ✭✭✭✭✭

    This link to ModernHttpClient may also be intersing for the readers of this thread:
    http://forums.xamarin.com/discussion/31770/your-experiences-with-modernhttpclient#latest

Sign In or Register to comment.