Security Issues in Mobile Commerce Using WAP

The Wireless Application Protocol (WAP) has been proposed as a way to get Internet (or a sort of Internet) to the small wireless and mobile devices, e.g. mobile phones, while accommodating for the special characteristics of such devices. Originally, WAP was designed with a gateway in the middle, acting as the interpreter between the Internet protocol stack and the Wireless Application Protocol stack. The WAP gateway forwards web content to the mobile phone in a way intended to accommodate the limited bandwidth of the mobile network and the mobile phone’s limited processing capability. However, the gateway introduces a security hole, which renders WAP unsuitable for any security-sensitive services. Through a set of standard releases, primarily version 1.2.1 (June 2000) and version 2.0 (July 2001), security issues have been addressed. We discuss the security hole and the gateway-based design that has led to it, including the business and architectural considerations underlying the design. A number of ways to correct the situation are discussed, including application level security, which still hasn’t been fixed in the WAP 2.0 standard of the July 2001 release. Finally we observe, that although version 2.0 allows skipping the gateway thereby tightening security, the added cost is not negligible.