The many flavors of HttpClient

HttpClientHandler

When using Xamarin, you can use the standard .NET HttpClient. By default, HttpClient is Mono’s complete reimplementation of the entire HTTP stack. It is sufficient for many use cases but there are other alternatives out there that can be defined by selecting an alternative HttpClientHandler. For my Evolve talk, I put together an overview of the different HttpClientHandlers you can use:

HttpClientHandlers

CFNetworkHandler (iOS 6+) and the new NSUrlSessionHandler (iOS 7+, starting with Xamarin.iOS 9.8) are the handlers that utilize Apple’s native APIs instead of the Mono implementation. You can define which handler the HttpClient default constructor will use either in the IDE or by providing an argument to mtouch (e.g., --http-message-handler=NSUrlSessionHandler).

iOS options: HttpClientHandler

For Android, there is now AndroidClientHandler (starting with Xamarin.Android 6.1). There is no IDE option for defining the default handler yet but you can define it using the @(AndroidEnvironment) build action on a text file in your Android project to define an environment variable XA_HTTP_CLIENT_HANDLER_TYPE to the value Xamarin.Android.Net.AndroidClientHandler.

Alternatively, you can use ModernHttpClient by handing a NativeMessageHandler to the HttpClient constructor which will also use native implementations for making HTTP calls.

SSL/TLS

The default Mono implementation does not support the newest (and most secure) TLS standard 1.2 while the native handlers do. To use TLS 1.2 with the Mono implementation, Xamarin.iOS 9.8 introduced the option to swap the TLS implementation with P/Invoke calls into the Apple’s TLS implementation. This can be selected either in the IDE or by adding the --tls-provider=appletls option to mtouch‘s options.

iOS options: TLS

For Android, there is no such option but it is expected that BoringSSL support will be added soon.

Here’s the summary slide I showed in my talk:

HttpClient comparison

Xamarin have actually gone through the trouble of reimplementing the TLS code to support TLS 1.1 and 1.2. However, it is expected that it will be abandoned because of security considerations in favor of the native platform implementations, just as Microsoft has done for Windows.

Update (2017-02-15)

Here’s an update on the current state of HttpClient:

  • You can now specify that you want to use AndroidClientHandler your Android project’s properties page, just as you already could for iOS.
  • As expected, Xamarin have added TLS 1.2 support to the Mono (non-native) HttpClientHandler by incorporating Google’s BoringSSL into their codebase. For Android, this option is also selectable in your project’s properties page. BoringSSL also brings TLS 1.2 to the Unix/Linux implementations of Mono.
  • Contrary to my previous knowledge, ModernHttpClient does support certificate pinning using ServicePointManager. Thomas Bandt wrote an excellent blog post on how to get certificate pinning working with ModernHttpClient and even AndroidClientHandler.

And here’s the updated matrix:

HttpClient comparison

8 thoughts on “The many flavors of HttpClient”

  1. Hello, i’m having a problem on a Xamarin Forms application. When i test my application on WindowsPhone, using HttpClient to consume an API, all works fine.

    Then i test on Droid and i can’t consume the API. The application got stuck for a while on client.GetAsync() and then an exception is thrown. The following appears on the output window of visual studio: Xamarin.Android returned no custom HttpClientHandler. Defaulting to System.Net.Http.HttpClientHandler

    I posted here on xamarin forms but got no responses till now, if you could help me i would appreciate.

    Thanks, Miguel.

  2. There is an IDE option for selecting your default HttpClient in Android projects now in Xamarin Studio. You no longer have to mess around with XA_HTTP_CLIENT_HANDLER_TYPE.

  3. Has there been any word on handler.ClientCertificates.Add() being implemented? As of today, it throws a NotImplementedException in mono.android.

  4. Hi, I am Security tester and currently working on mobile application security testing (android & iOS) which is built using Xamarin. And I am facing problem in intercepting app request and response through proxy editing tool(such has burp suite / charles). Please let me know what changes needs to be done / how to intercept applications traffic. Thanks in advance.

    1. Do you have access to the source code? You can specify an HTTP proxy by configuring an HttpClientHandler and providing that to the constructor of HttpClient.

Leave a Reply

Your email address will not be published. Required fields are marked *