One thing underlies all the rosy predictions about mobile commerce and ubiquitous wireless data networks: the assumption that data can be stored securely on devices, encrypted successfully over the air and handled equally securely on the server. Unfortunately, however, rarely a month goes by when a researcher doesn't find a new security hole in a wireless technology being touted as the next great wireless economic engine. Because of the processing, memory and battery-life requirements of mobile devices, traditional encryption techniques (which sometimes rely on powerful processors and large amounts of memory) also fall flat on wireless platforms, creating the need for wireless-specific security technologies. In this article, I'll discuss some of these security technologies as well as some of the problems that have been uncovered to date.
As you might imagine, security in a mobile environment is paramount to the success of mobile commerce. Currently, the analyst predictions look to outstrip the realities of the marketplace, due in large part to wireless technologies' failings in the area of security. The Gartner Group has predicted that more than 40% of all C2B e-commerce transactions will occur via a WAP phone by the year 2004. These transactions could take place in a wide variety of scenarios. Bluetooth-enabled devices could securely interact with a credit card machine at the point of purchase. Wireless
WAP Security (WTLS)
The Wireless Application Protocol (WAP) is the most popular wireless data technology in use today. As you might expect, it has its own security mechanism, named Wireless Transport Layer Security (WTLS). WTLS is a wireless relative of the more common SSL mechanism used by all major Web browsers. WTLS resembles SSL in that both rely on certificates on the client and server to verify the identity of the participants involved. While SSL implementations generally rely on RSA encryption, WTLS supports RSA, Diffie-Hellman, and Elliptic Curve encryption. WTLS also doesn't provide for end-to-end security due to WAP's current architecture and limitations of server-side Transport Layer Security (another name for SSL). While WAP clients can securely exchange data with a WAP gateway using WTLS, the gateway must open an SSL session with a back-end server in order to complete the transaction. Due to this requirement, WAP 1.x suffered a serious security setback after it was revealed that data could be accessed, unencrypted, for a brief moment at the point where the WAP gateway passed data off to the back-end server ( http://news.zdnet.co.uk/story/0,,t298-s2092470,00.html). The WAP Forum has addressed this issue in WAP 2.0, offering end-to-end security for the first time to WAP developers.
Wireless LAN Security
While a great deal of attention has been paid to technologies such as WAP and Bluetooth, Wireless LANs using the IEEE 802.11b standard have been growing rapidly over the past two years. Unfortunately, products built on 802.11b that were once marketed as "secure" are now being shown to be anything but. Specifically, 802.11b secures data using the Wired Equivalent Privacy (WEP) protocol. Unfortunately, it has been shown that WEP can be cracked by simply modifying several device driver settings on your wireless LAN-equipped mobile device! Wireless LAN proponents have recently backtracked, claiming that WEP was designed only as a "deterrent" rather than a crackproof solution. Consider yourself warned!
Another, more pressing problem with wireless LANs deals with their use of shared spectrum and the ability of passersby to snoop on your corporate LAN traffic. It was revealed last year that corporate data from Sun Microsystems was stolen by snoopers sitting in the Sun parking lot! A number of grassroots efforts are underway in major cities to map out wireless access points (London, Seattle, Boston, Silicon Valley), in case you're interested in participating.
Just as important as the secure transmission of data over the air is the issue of data stored on your mobile device. Despite antivirus software vendors' warnings, no serious viruses have spread to the mobile world as of the time of this writing. You can be sure, however, that mobile devices will catch the attention of virus developers as smart wireless devices proliferate and the value of data stored on those devices increases. A markup-based technology such as WAP would appear to be virus-proof, but technologies such as SMS can send text/multimedia messages to other users, and Java can dynamically download executable code to the device. While the Java 2 Micro Edition specification defines adequate security protections, bugs in the proliferation of virtual machines on a wide number of devices could open a Pandora's box of security problems. Companies such as McAfee are already offering antivirus solutions for Palm OS, Windows CE and EPOC in anticipation of a new wave of viruses.
Despite proponents' claims to the contrary, wireless data technologies still possess a level of insecurity, particularly if custom security measures (such as encryption) are not put in place by the enterprise or application developer. WAP 2.0 hopes to solve WAP's primary security problems, but the all-important vendor implementations of the standard will decide whether the public accepts the level of security offered. As you can see from the issues raised in this brief discussion, a long road lies ahead for mobile security vendors seeking to gain the public's trust. Only when these products and technologies are proven to be secure from end to end will mobile commerce begin.