452 Chapter 10 • Securing Your Wireless Web
to an independent audit. Some service providers will provide an independent audit
report, but it is still necessary to consider the scope and the age of an audit report.
Secure Application Interfaces
Wireless applications and servers typically communicate with back-end data
sources and applications such as databases and legacy applications. In a typical
three-tier architecture (Web browser,Web server plus middleware, and back-end
application) a Web server is exposed to the Internet while back-end applications
reside within more secure regions of the network. Communication with back-
end systems should be implemented using secure protocols and, if possible,
through private networks. If an ASP is used, a VPN or private network connec-
tion may be configured, but this does not provide security through to the Web or
server or mobile application; only to the service provider’s network.
The best way to address the issue of secure communications between applica-
tions is for servers to communicate using a secure protocol such as SSL. If this is
not possible, a VPN and a private WAN connection is the best solution when
using a service provider and a private LAN between machines at the data center
is recommended (This can be accomplished by adding a secondary network
interface card to each server and explicitly configuring the IP addresses or net-
work route to the sister servers.
Problems of a Point-to-Point Security Model
Theoretically, the problem of point-to-point security architectures can never be
fully resolved.The only solution is end-to-end security. Of course, point-to-point
security can provide additional layer of security as a conduit for communications
secured through a PKI.The advantage of going with the flow on point-to-point
security is that you retain complete flexibility with respect to devices and the
locations of users as they travel, assuming that your mobile application software
operates globally.
Sniffing and Spoofing
Sniffing is the process of collecting raw information from a network then fil-
tering it for information related to specific users, machines, or applications.

Spoofing refers to simulating a node on a network in order to redirect users to a
replica of an application and deceiving them into unknowingly revealing pass-
words or credit card numbers.As a rule, unencrypted communication can be
observed and falsified without detection. PKI security eliminates this possibility.
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 452
Securing Your Wireless Web • Chapter 10 453
Session Management and URL Rewriting
On the Web, cookies are used to maintain state between Web browsers and Web
servers. On the wireless Web not all browsers support cookies. In the absence of a
PKI, less secure methods of maintaining state, such as URL rewriting, must there-
fore be used. URL rewriting allows applications to maintain their last state inde-
pendent of cookies by rewriting the URLs sent to the browser in such a way that
when the user browses to the rewritten URLs within an application, the server is
able determine that the request has come from a specific user.This method poses
a security risk since URLs of this kind could be sniffed off the wire and used by
hackers to bypass normal authentication before accessing the application. If the
algorithms for URL rewriting can derived by a hacker, arbitrary information or
transactions can be accessed for a given server or application.
Man-in-the-Middle Attack
A man-in-the-middle is a person who intercepts communications passing
through a point where it is unencrypted (such as a WAP gateway), and then
replaces the original communication with a false communication that is made to
appear legitimate.When the recipient of the false communication responds, they
believe that they are dealing with the person who originated the communication
rather than the man in the middle. In practice, exploiting this theoretical vulnera-
bility would require a combination of specialized software either installed on a
mobile operator’s WAP gateway or interposed in the communication path
through spoofing.
SECURITY

ALERT
■
Cracking Cracking is the practice of guessing a user’s password.
Since most users choose weak passwords, the best way to crack
a password is to know things about the user such as important
dates or names of children or pets. Systematic guessing can be
automated by writing a program that attempts to enter things
such as the words in the dictionary as a user’s password. The
best defense is a good password and a system that does not tol-
erate failed login attempts.
■
Hacking Hacking is a much overused term and it has more than
one meaning. The original and most common use refers to pro-
gramming or working with computers in an obsessive way, espe-
cially if the result of this work is ingenious. In the 1980’s the
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 453
454 Chapter 10 • Securing Your Wireless Web
terms was applied to people who broke into computer systems
or wrote malicious programs such as computer viruses.
■
Sniffing Capturing raw network traffic and filtering it to look
for specific information. Information in the clear can be read by
anyone with the hardware and software necessary to sniff the
or network.
■
Spoofing Spoofing refers to methods of simulating the identity
of a machine or application in a network. This can be done
either at the hardware level (assuming control of a network
route) or a physical or logical level (network address and soft-

ware applications). The best defense is a PKI because end-to-end
security technologies can detect if one end of the communica-
tion has is inauthentic.
No Complete Solution
Although a point-to-point security model sounds reasonable, it is a fundamentally
flawed and limited approach.Whenever data is unencrypted it is vulnerable, and
from a security standpoint it would be clearly incorrect to assume that acciden-
tally transmitting data over the Internet in the clear because of an improper WAP
gateway configuration is a worthwhile risk. Similarly it would be a mistake to
assume that all WAP gateways or WASP data centers are secure.WTLS may be
secure, but the question is irrelevant if the security it provides stops at the WAP
gateway. Each juncture within the current wireless security patchwork is a vul-
nerability that can, at least in theory, be exploited. One key to good security is
the attitude that even the most obscure vulnerabilities are unacceptable if there is
any way that they can be avoided.
PKI Technology and
End-to-End Security Models
The promise of Public Key Infrastructure security is complete end-to-end secu-
rity where communications remain secure even if intercepted.This is because
there is no point between the mobile device and the Web server or mobile appli-
cation where data are unencrypted. In contrast to the point-to-point WTLS secu-
rity model, PKI security provides end-to-end security (see Figure 10.7) by
deploying digital certificates to client applications such as wireless browsers.A
PKI may be used to provide strong security within an enterprise or between
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 454
Securing Your Wireless Web • Chapter 10 455
businesses since a PKI provides the security necessary for secure business transac-
tions over the Internet.
Although PKIs are relatively common within large corporate networks and

on the Internet, certificate-based encryption technologies and PKIs are not
widely deployed on the wireless Web. For several reasons, there is no dominant
standard for wireless digital certificates and PKI technologies.
■
Different PKI security technologies and competing vendors
■
Different wireless browsers
■
Limited bandwidth, device capacity, and processing power
■
Albatross of incompatible legacy devices already deployed
■
Lack of global standards for browsers and devices
In the past, the adoption of PKI security on the Web has concentrated on
industries and focused only on applications that deal with the most sensitive data,
rather than becoming ubiquitous.The wireless Web is no different, and you, the
www.syngress.com
Figure 10.7 End-to-End Security Model
Internet
Wireless
Network
Web
Server
WAP
Gateway
PKI technology
provides end-to-
end encryption.
WAP
Phone

159_wg_wi_10 10/22/01 5:47 PM Page 455
456 Chapter 10 • Securing Your Wireless Web
wireless Webmaster, need to decide if there is a return on investment for the
expense and overhead of deploying a PKI.
How to Deploy a PKI
Devices that support PKI security technology are not widely deployed today.
Every PKI implementation is unique to the organization or application that
requires security. For this reason, PKI technology is not an off-the-shelf product
or turnkey solution.To deploy a PKI you have to first select a wireless PKI tech-
nology and a vendor.The technology and vendor you select depends on the
application and on the wireless browser and devices that you wish to deploy.
Server Side PKI Integration
Most wireless PKI vendors provide a server-side Software Development Kit
(SDK) that allows their technology to be integrated with wireless applications,
and some wireless application platforms and WASPs already support one of the
leading PKI solutions.
Client Side Devices
PKI technologies must be supported both in a client application, such as a wire-
less browser, and in a server application. Deploying a PKI for the wireless Web
means standardizing on a specific wireless browser and on the devices that sup-
port the selected browser.There are several available wireless browsers that sup-
port PKI technologies, but this by itself is not a complete solution because the
server must support the same technology as the browsers and the PKI must
deployed in order to be used .As a rule, existing devices cannot be upgraded to
support the latest PKI security technologies so deployment of new mobile
devices along with a PKI solution is a routine approach.
Choosing a Certificate Authority
Deployment of a PKI for both the Web and the wireless Web depends on the
deployment of a Certificate Authority (CA).When a client certificate is generated,
the algorithm uses the creator’s root certificate and digitally signs the client certifi-

cate.The root certificate is the basis for trust between clients and servers that share
certificates with a common root. Every organization that deploys a PKI must
decide what CA to use. For your organization’s CA, you can choose either a com-
mercial security technology vendor such as Certicom, Diversinet, or Baltimore, or
you can use their software to establish you own CA. For interoperability between
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 456
Securing Your Wireless Web • Chapter 10 457
systems it is best to use a common CA so that organizations can easily grant access
to one another’s users.The decision of whether to use a commercial CA or
become a CA is not only a question of technology but also a function of company
size and organizational goals.There is also a political component for mobile com-
merce since there are a growing number of a laws related to digital signatures.
Certificate Management Framework
PKI technology vendors provide tools for the creation, management and deploy-
ment of certificates. Certificate management is the process of choosing or
becoming a certificate authority, of creating and securely deploying certificates, of
keeping them in escrow in case they are lost or destroyed, and of controlling their
expiration and renewal. Since certificates expire, there must be a straightforward
way of replacing certificates that are deployed on mobile devices.
Certificate Deployment
PKI deployment involves server-side integration, mobile device or browser selec-
tion, certificate creation, and client-side certificate deployment. PKI solutions
require users, IT administrators, or both to create and install or renew client-side
certificates.The certificate deployment process can be problematic for mobile
devices because they are typically in the hands of users who are dispersed within
and outside the organization. Certificate deployment must be done securely: if a
user’s certificate is intercepted, it could grant unauthorized access to an intruder.
Practical Limits of PKI Technology
The largest problem with deploying a PKI is the lack of standards; it is not pos-

sible to deploy a PKI technology on the server side and accommodate the
devices that users already have to allow users much choice of devices. For prac-
tical reasons, the lack of standards also limits geographical coverage. For example,
a PKI may be deployed in a specific c-HTML browser on a wireless PDA plat-
form such as Palm OS in North America, but wireless connectivity for the device
may not be available in Europe.Another example would be if a specific model of
phone implementing current WAP security standards were issued to mobile
workers. Users traveling to Asia cannot use these devices, and the available Asian
devices (such as NTT DoCoMo i-mode phones) do not use WAP. In many com-
panies it is not practical to standardize mobile devices throughout the organiza-
tion.To avoid replacing or standardizing on a single wireless phone, the best
approach may be to deploy a PKI in conjunction with PDAs, particularly where
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 457
458 Chapter 10 • Securing Your Wireless Web
this reduces the need for notebook computers since reduced cost is a key reason
for using both PDAs and wireless access.
Using PDAs with PKI Security
The most powerful handheld mobile devices with the most capacity, flexibility,
and readily available security technologies are PDAs. PDAs also support installable
software and have the ability to synchronize with desktop PCs. In situations
where wireless PDA users sync their PDAs to desktop workstations, administra-
tors have some control over what software is installed, and have the ability to
update that software.These managers should specifically ensure that wireless
browsers are kept up-to-date. If a management solution such as Microsoft’s
System Management Server is in place, this can be used to exert centralized con-
trol of PDAs by indirectly manipulating PDA configurations.Although PDAs are
more involved than phones, using wireless PDAs is the most manageable solution
because wireless browsers with digital certificate support are already available, and
the software on a PDA such as a Palm Pilot or PocketPC can be easily upgraded.

PDAs with expansion slots, such as the Handspring Springboard slot or Pocket
PC Card adapter can accommodate more than one type of wireless modem, so
PDAs can be configured to go to wherever users travel as long as there is a wire-
less network to provide data access. In the future, the problems of PKI security
will be eased by the introduction of new networks such as General Packet Radio
Service (GPRS) and new mobile phones with either with built-in digital certifi-
cate support or flexible software configurations similar to today’s PDAs.
The Future of Security
on the Wireless Web
The future of wireless security lies in its convergence with Internet and Web
security. For example, a future PDA with a direct IP connection and HTML
browser supporting SSL need not pass through a WAP gateway. In the interim
there will be further standardization on wireless browsers, and hopefully a single
dominant PKI standard. More to the point, there should be a standard means of
installing digital certificates and of managing wireless PKIs from an IT perspec-
tive. Mobile devices have a long way to go before corporate IT personnel and
wireless Webmasters will find them configurable and manageable.
The Internet and telecommunications marketplaces will continue to converge
in the wireless Web, but this will be driven more by enterprise applications than
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 458
Securing Your Wireless Web • Chapter 10 459
by Web content. Mobile operators and device manufacturers will continue to
evolve their alliances with systems integrators and wireless software companies,
pursuing enterprise business directly with solutions based on their selected
devices and wireless network and security infrastructures, although this does not
solve the problem of global security standards. For a global solution there are two
options.The first, which is currently available, is a sophisticated software solution
that eliminates the complexities of disparate devices, networks and standards but
does not solve the problem of creating a globally viable PKI.The second is to

wait for 2.5G and 3G networks and devices.
PDAs are generally a better overall solution for corporate users, though not
the lowest in cost. In North America, however, there is limited coverage for wire-
less PDAs. It remains to be seen how these solutions will fare against the coming
2.5G and 3G networks and devices. In the meantime, PDAs are morphing into
miniature Web pads.The adoption of PDAs, particularly in the corporate IT
sector, will continue alongside that of wireless phones over the next few years.
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 459
460 Chapter 10 • Securing Your Wireless Web
Summary
The adoption of wireless technologies and applications is driven significantly by
the exchange of information and financial transactions that must be secure.
Wireless promises to extend corporate data, applications, and the Web to mobile
devices. without security that promise is rendered hollow, but security on the
wireless Web is far from simple. Unlike the Internet, the wireless Web is a patch-
work of different and incompatible standards.There are two basic approaches to
security on the wireless Web: point-to-point and end-to-end. Point-to-point
security provides the widest choice of mobile devices and browsers, and is the
only way to achieve a truly global solution. End-to-end security is synonymous
with PKI security technologies, and while PKIs are clearly the better approach,
there are many barriers to successful deployment, not the least of which is that
using a PKI severely limits the devices that can be deployed.The fundamentals or
security technologies (private or secret key and public key encryption) are iden-
tical on both the conventional and wireless Web, but there are several problematic
areas in wireless Web security. Most of these problems can be managed with
varying degrees of assurance with respect to minimizing risks through careful
analysis, planning, and management of the wireless solution; and by balancing
security requirements with the need for flexibility in mobile device, browser, and
network support. In the future, many of the current limitations in wireless Web

security will be resolved. However, It remains to be seen if, or to what extent, the
adoption of wireless and the introduction of faster networks and more powerful
devices will outrun the maturation of wireless security technologies, while wire-
less and Internet security standards and technologies simultaneously converge.
For ordinary Web content and applications like e-mail that enjoy limited
security over the Internet, point-to-point security and WTLS Class I are clearly
adequate solutions. For financial applications and sensitive corporate information,
the enforcement of SSL on Web servers and applications is a necessary step that
must be taken today. Newer implementations of WTLS will improve security in
this case.A PKI solution is necessary for highly secure applications,, and the best
way to secure your organization’s wireless communications via a PKI solution is
to use PDAs rather than mobile phones. Many of the issues that are seen as chal-
lenging today will be resolved when 2.5G and 3G networks replace the current
wireless infrastructure on a large scale. 3G networks and the devices that will run
on them will provide better and more manageable security because they will sup-
port end-to-end SSL and installable software through technologies such as J2ME.
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 460
Securing Your Wireless Web • Chapter 10 461
Solutions Fast Track
Comparing Internet and Wireless Security
; Security on the Web is less complex than security on the wireless Web
because the Web represents a single paradigm both for application devel-
opment and for security.
; The Internet and the Web provide a somewhat coherent model for
applications and security with a handful of ubiquitous standards. On the
wireless Web there are many networks using different standards, multiple
browser protocols, and several wireless markup languages.
Security Challenges of the Wireless Web
; Unlike Secure Sockets Layer (SSL) and the x.509 standard for Public

Key Infrastructures (PKIs) on the Internet today, there is no single stan-
dard for wireless digital certificates or wireless browser plug-ins.
; The relatively weak encryption provided by wireless security technolo-
gies such as the Wireless Transport Layer Security (WTLS) protocol and
lightweight wireless PKIs is directly related to the length of the keys
used and the sophistication of the encryption algorithms.These in turn
are a function of device capacity, processing power, and wireless network
bandwidth.
; User awareness and insecure devices pose a large challenge to the wire-
less Webmaster. Password protection, encryption programs, and device
configuration control are the keys to minimizing the risks when devices
are lost or stolen.
; Wireless Application Service Providers (WASPs) reduce customer infra-
structure investment but require customers to trust their data to a network
outside their control.
; Along with the spread of new technologies comes the potential for new
viruses, but the same diversity of wireless devices, browsers and standards
that hampers security can also hamper the spread of viruses and worms.
; Once you’ve determined what you’re going to make available wirelessly
and how secure it needs to be, you can determine what steps you need
www.syngress.com
159_wg_wi_10 10/22/01 5:47 PM Page 461