Encryption between desktop app and server - C# to PHP

Question

I have an app which is designed in C#. In simple terms the app sends data and image to my web server which takes all the $_POST data and processes it. I will confess i do not understand how the security end of things work. I will employ someone with relevant experience to do that however i wouldn't even know what to ask them at this point as in what are some accepted techniques.

I assume its not as simple as just base64 encode/decode the data and it needs a higher level of encryption. The webserver will have HTTPS SSL(OV) certification over the next few weeks but my limited understanding is that i still need some sort of protection/encryption when transferring the data from the users PC to my web server so someone is not listening in on the data transfer or something like that.

In simple terms if i want to keep the data secure between users and my webserver what are some of the most common or accepted methods for C# to PHP?

The data goes directly from the app on the users PC to my server, i control source code for both but i myself and not the developer hence my lack of technical knowledge on the issue.

One C# developer i talked with suggested symmetric/asymmetric algorithm but he is not a PHP developer so he doesn't know if php can take that data and decrypt it.

Answer 1

It seems you are concerned with the security of the data while being transferred from the client app to the server, and vice versa. As has been mentioned in the comments, an HTTPS connection will be sufficient in this regard. It automatically performs encryption/decryption for you.

To get an HTTPS connection working, you would purchase an SSL certificate (Namecheap is one website where you can buy one) and install it on your web server. The certificate is automatically installed on a user's local machine the first time he/she connects to the server, and each subsequent connection performs a check for a valid certificate. So basically, you just install the certificate on the server and don't have to worry about it until you have to renew your certificate. Just make sure that your client app attempts to connect to an HTTPS address instead of an HTTP.

If you were to implement symmetric/asymmetric encryption, it would help with encryption and decryption before and after the data is transferred. If you encrypt the data in your client app, you will have to decrypt it on the server side when you receive it, and vice versa. This would provide you with even stronger security; however, depending on the nature of your app, an HTTPS connection may be enough.

One of my personal projects is a client C# app that connects to a Ruby web server, which I also wrote. I installed an SSL certificate on my Ruby web server so that data is encrypted while in transit. In my case, the data being transferred does not contain any user data or PII (Personally Identifiable Information) and therefore does not pose a security risk if an external party gains access to this information. As such, I felt using encryption before and after transit was not worthwhile nor would provide any benefit to the end user. Again, this depends on the nature of your app and your users' expectations.

EDIT:

As mine mentioned in the comments, StartSSL offers free SSL certificates.