When using Xamarin, you can use the standard .NET
HttpClient. By default, HttpClient is Mono’s complete reimplementation of the entire HTTP stack. It is sufficient for many use cases but there are other alternatives out there that can be defined by selecting an alternative
HttpClientHandler. For my Evolve talk, I put together an overview of the different HttpClientHandlers you can use:
CFNetworkHandler (iOS 6+) and the new
NSUrlSessionHandler (iOS 7+, starting with Xamarin.iOS 9.8) are the handlers that utilize Apple’s native APIs instead of the Mono implementation. You can define which handler the
HttpClient default constructor will use either in the IDE or by providing an argument to
For Android, there is now
AndroidClientHandler (starting with Xamarin.Android 6.1). There is no IDE option for defining the default handler yet but you can define it using the
@(AndroidEnvironment) build action on a text file in your Android project to define an environment variable
XA_HTTP_CLIENT_HANDLER_TYPE to the value
Alternatively, you can use ModernHttpClient by handing a
NativeMessageHandler to the HttpClient constructor which will also use native implementations for making HTTP calls.
The default Mono implementation does not support the newest (and most secure) TLS standard 1.2 while the native handlers do. To use TLS 1.2 with the Mono implementation, Xamarin.iOS 9.8 introduced the option to swap the TLS implementation with P/Invoke calls into the Apple’s TLS implementation. This can be selected either in the IDE or by adding the
--tls-provider=appletls option to
For Android, there is no such option but it is expected that
BoringSSL support will be added soon.
Here’s the summary slide I showed in my talk:
Xamarin have actually gone through the trouble of reimplementing the TLS code to support TLS 1.1 and 1.2. However, it is expected that it will be abandoned because of security considerations in favor of the native platform implementations, just as Microsoft has done for Windows.
Here’s an update on the current state of
- You can now specify that you want to use
AndroidClientHandleryour Android project’s properties page, just as you already could for iOS.
- As expected, Xamarin have added TLS 1.2 support to the Mono (non-native) HttpClientHandler by incorporating Google’s
BoringSSLinto their codebase. For Android, this option is also selectable in your project’s properties page.
BoringSSLalso brings TLS 1.2 to the Unix/Linux implementations of Mono.
- Contrary to my previous knowledge, ModernHttpClient does support certificate pinning using
ServicePointManager. Thomas Bandt wrote an excellent blog post on how to get certificate pinning working with ModernHttpClient and even
And here’s the updated matrix: