WCF Service (JSON) and Android client - message security

Question

I have WCF service, that gets and returns JSON data. and Android mobile app, that calls this service.

• How do I encrypt messages between these two, if possible?
• If not, how to do custom encryption?

Edit:

Here is an additional information for server and client sides.

The service looks next:

Service interface :

<ServiceContract()>
Public Interface ITest

    <OperationContract()>
    <WebInvoke(Method:="POST", RequestFormat:=WebMessageFormat.Json, ResponseFormat:=WebMessageFormat.Json, BodyStyle:=WebMessageBodyStyle.WrappedRequest)>
    Function Test(header As RequestHeader, body As TestRequestResponse) As Boolean

End Interface

Service code

<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>
<ServiceBehavior(ConcurrencyMode:=ConcurrencyMode.Multiple, InstanceContextMode:=InstanceContextMode.Single)>
Public Class TestService
    Implements ITest

    Public Function Test(header As RequestHeader, body As TestRequestResponse) As Boolean Implements ITest.Test

        Return True

    End Function

End Class

Web.Config

<system.serviceModel>
    <services>
        <service behaviorConfiguration="RMWS.TestBehavior" name="RMWS.TestService">
            <endpoint address="Test" binding="webHttpBinding" behaviorConfiguration="WebBehavior" bindingConfiguration="WebBinding" contract="RMWS.ITest" />
        </service>
    </services>
    <bindings>
      <webHttpBinding>
        <binding name="WebBinding"/>
      </webHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="WebBehavior">
          <webHttp/>
        </behavior>
      </endpointBehaviors>
      <serviceBehaviors>
        <behavior name="RMWS.TestBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug  includeExceptionDetailInFaults="true" httpHelpPageEnabled="false" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>

Client call

The client call currently made from javascript for testing only. In future a client will be android app, but the general idea is same.

$.ajax({
    type: "POST",
    url: "http://localhost/RMWS/TestService.svc/Test/Test",
    contentType: "application/json",
    dataType: "json",
    data: JSON.stringify(somedata),
    success: function (data)
    {
        ...
    },
    error: function (httpRequest, textStatus, errorThrown)
    {
        alert(textStatus + ": " + errorThrown);
    }
});

Edit 2:

I know it can be done easily with SSL. But in my company thinks it's too expensive for performance and traffic, so they don't want to use SSL, and instead do some other encryption. If possible, only requests may be encoded, as responses doesn't contain any sensitive info.

Edit 3:

Any other opinions except Joseph's answer?

Answer 1

SSL is the best bet if you want to carry on using JSON, you could obfuscate JSON but that would no longer be JSON and would be silly and would still be accessible to those who are really interested.

Your best bet is to send binary over to the device, you could encrypt that using pgp but the problem you would then have is storing a private key in an android app which in itself isn't very secure.

SSL is the safest bet.