- A WAP gateway is a software system that converts Web pages from the WAP security protocol, known as the Wireless Transport Layer Security protocol, into the Internet security protocol, known as Secure Sockets Layer. WTLS is based on a de facto security standard for Internet communications, known as Transport Layer Security, and works by establishing a session between the mobile device and the WAP gateway in a process known as handshaking.
- During handshaking, the security parameters -- encryption protocols, public encryption keys and security certificates -- used to protect the session are negotiated. Once a session has been established, communications between the mobile device and the WAP gateway are encrypted, so that they cannot be read even if intercepted.
- A WAP gateway allows WAP-enabled devices to communicate with the Internet. However, WAP communications are available for a short time in unencrypted form on the gateway, so if the gateway is compromised, so are any WAP communications. Vendors typically take precautions to ensure that data is secure, including encrypting and decrypting data in memory and clearing memory before it is handed back to the operating system. However, no standards exist for these precautions, so no particular implementation of WAP can be guaranteed secure.
- Cellular phones are always likely to be the weakest link in any WAP implementation. They are, by definition, mobile and can easily be lost or stolen. The capabilities of WAP mean that mobile devices are increasingly likely to be used to store sensitive data that is physically protected only by a personal identification number and, in many cases, by nothing at all. A WAP-enabled website is also a key component of any WAP implementation, so the security issues traditionally associated with websites in general also apply to WAP. Poorly written gateway interface software can provide an entry point for hackers, while malicious websites can download the contents of a directory or address book on a cellular phone or personal digital assistant and distribute the information to a third party.
previous post