Originally published online by Wireless Advisor

As an increasing number of organizations deploy services using the Wireless Application Protocol (WAP), they must seriously consider the security issues present in such an environment. This is especially true in systems that involve financial information or sensitive personal data. The WAP specification, created by the WAP Forum, partly addresses such concerns with the introduction of the Wireless Transport Layer Security protocol (WTLS).

WTLS is based on the Transport Layer Security protocol (TLS), a derivative of the Secure Sockets Layer protocol (SSL). The goal of WTLS is very much like SSL, to provide privacy and reliability for client/server communications over a network. While SSL is primarily used to provide security over the Internet, WTLS is specific to wireless applications utilizing WAP. The need for developing and using WTLS over TLS and SSL is due to the restrictions present in the Wireless Application Environment. Specifically, TLS and SSL don’t offer the necessary support for the limited memory and processing capabilities of WAP enabled phones, support for multiple transport protocol layers, and capabilities to address low bandwidth environments.

To gain a better understanding of WTLS, it’s important to understand the basics of the WAP network architecture. The WAP client, typically a cellular phone, communicates directly to a gateway. A gateway is a proxy that provides protocol translations, compression of WML/WML Script and additional services. When a gateway receives a request from a WAP client, it’s translated into HTTP to communicate with the appropriate content server. In the implementation of a secure WAP system, the communication between the WAP client and gateway is encrypted with WTLS. The gateway will then decrypt WTLS and then re-encrypt using SSL to connect to the content server. The SSL connection is similar to what one would find in a traditional secure Internet application.

This process has its weaknesses, many of which have been publicly criticized. The first of which is that WTLS allows for weak encryption algorithms — with some WAP clients, users can even disable WTLS encryption entirely. The availability of such options severely limits the security of a WAP application. Other WTLS security problems were also brought to light and explained to the public by Markku-Juhani Saarinen in his paper, Attacks against the WAP WTLS Protocol. Specifically, it addresses the chosen plaintext data recovery attack, the data gram truncation attack, the message forgery attack and the exportable key-search shortcut. The paper has been published on the Internet and is available at http://www.jyu.fi/~mjos/wtls.pdf. Finally, there could be a compromise of the WAP gateway. As data between a WAP client and content server is decrypted by a gateway, it becomes vulnerable if the gateway has become compromised. In cases where one is providing their own gateway, steps should be taken to prevent this from occurring. Firewalls, operating system hardening and even physical location security features can be implemented. Even still, many companies have yet to realize security concerns exist in WTLS.

Future versions of the WAP specification may address shortcomings in WTLS. A WAP Forum draft called The WAP Transport Layer E2E Security Specification presents a scheme to eliminate the need for decryption/re-encryption at the WAP gateway. Here, a WAP client’s request would be redirected using an XML document. This document supplies the WAP client with instructions on how to make a direct secure connection with a secondary proxy, which provides direct access to the content server. This method inherently bypasses the WAP client’s default gateway.

Additional improvements will come with wide spread implementation and deployment of WAP client security certificates. Security certificates digitally identify a WAP client and let it send and receive encrypted information. Currently, digital signing of WAP client request must be handled by the content provider’s application and/or be also be created using the WML Script Crypto library.

WTLS is just one piece of the security puzzle when architecting a WAP application. It should be fully understood, along with the full WAP specification, to provide knowledge of the pertinent threats, issues, and potential weaknesses.