The Security Gap in Wireless Mobility (Handsets)

by C. Enrique Ortiz, February 19, 2005

The wireless security gap used to be about the "WAP gap"; the security gap between a WAP client (handset) and a Web host, where data integrity and confidentiality became compromised at the WAP gateway due to the transition between WTLS and TLS. Today WAP 2.0 has addressed this gap by using TLS end-to-end, from the handset to the Web host.

But the wireless mobility security gap still exist today; secure mobile access to sensitive resources and information are still compromised. The gap is complex and consists of the following related items:

Mobile access occurs over unsecured channels.
Lack of non-repudiated device identity.
Lack of access control.
Lack of policy management.
Lack of digital user identity & management.
Lack of local data protection/confidentiality.
I also like to include "lack of application and licensing management", because access to sensitive resources and information should be controlled, possibly through authorized and properly licensed applications.

Some of the above items are obvious while others require more explanation; at a later point I will publish more about this gap; in the meantime this is food for thought for the reader, to whom I will leave the exercise of understanding each of the items above, and why it is important to address them, and address them together. Note that the gap exists not because there is a lack of technologies to address it, but due to the lack of standardization across devices (with respect to the above items), lack of understanding the gap and how to address it, and lack of solutions that allow corporate IT and even network carriers to manage the above items: the result is lack of security enforcement.

Standardization is so important to close this gap; and standardization comes in different levels... for example, at the functional level, or at the functional + API level; I would be happy if it existed at least at the functional level (but of course a single API across handsets is very important as well). Talking about standardization, from the J2ME perspective, I am hoping that the JSR-232 expert group is working on the management items mentioned above: non-repudiated device identity, and application, policy and public key certificate (user identity) management.

ceo

Why Google Ads?
To help subsidy this web site's hosting expenses.

About the Author

About C. Enrique Ortiz - I'm a mobility enthusiast, practitioner, and professional, with many years of experience in end-to-end mobile computing.

I'm a technologist by heart, a software architect and developer, who spends quite a bit of time with mobility technologies.

I am the co-founder and CTO of eZee inc, a new mobile solutions company. I also am Owner and Principal Technologist at Artemis Wireless Werks, a mobility services and consulting company which have helped dozens of companies deliver their mobile strategy.

I've worked in engineering and management positions in companies that include IBM, Pervasive Software, AGEA, Aligo, IBM and Dell, in areas that include avionics software (Space Shuttle OS), embedded, robotics and image processing, multimedia streaming, large financial systems, and of course, end-to-end mobility systems.

I've been the author or co-author of many publications, patent disclosures, and of the first book exclusively devoted to Java programming with the J2ME Mobile Information Device Profile (MIDP) published by John Wiley and Sons. I also was co-designer of the Mobile Java Developer Certification Exam of Sun Microsystems. Many of my writings are technical articles on mobility technologies and software development that can be found all over the Web. I also have a weblog where I write about mobility and other things.

I have been an active participant in the Java mobility community, where I have evangelized the Java ME technologies for many years now, and where I have had the privilege of serving as a member in various Java Specification Requests (JSRs) expert groups including the Mobile Information Device Profile (MIDP) 2.0, MIDP 3.0, the Web Services API for Java ME, the Information Module Profile (IMP), the Content Handling API (CHAPI), The Java Language & XML User Interface Markup Integration, and others, and have been a contributor to other JSRs such as the Payment API, the Device Management API and the Mobile Service Architecture.

I was a founding member of Mobile Monday Austin, the Austin Wireless Alliance, and the Carnival of the Mobilists, and I lead the Austin Bootstrap Network's Mobile Subgroup. I also, as time permits, volunteer my time as a mentor of Software Engineering at the University of Texas at Austin, helping CS students on their senior year get ready for the "real" world.

I hold a B.S. in Computer Science from the University of Puerto Rico, and if I count my pre-college days I have close to 20 years of software development experience -- other experience are in product development and management. I currently live north of the beautiful Austin, Texas, U.S.A.

Enrique's Affiliations:

Association for Computing Machinery

Austin Technology Council

Austin Wireless Alliance

Bootstrap Austin

Carnival of the Mobilists

Digital Convergence Initiative

Java Community Process

Mobile Monday

Wireless Future

Other Mobility Sites

Terms of Use, Legal

Content (text, sources lines of code, illustrations and similar) published in this website is copyright work by C. Enrique Ortiz, unless such rights have been deferred by the author, in which case the copyright terms will be stated as appropriate. For content pointed to from this website, but published on other websites, visit the appropriate webiste for their copyright notice.

The content by C. Enrique Ortiz, such as the text of articles and blog entries can't be reproduced without permission. Members of the press and the blogosphere and others may cite portions of research data or text that is no more than a paragraph in length, provided they properly attribute its source, for example: "Source: C. Enrique Ortiz". The content of this website can't be used by Mechanical Turks or other for the purpose of providing answers for a fee, and the source must always be attributed as described in the previous sentence.

The source lines of code (SLOC) written by C. Enrique Ortiz and available in this website is copyright work by C. Enrique Ortiz, and it is free software that you can use as reference, derive from, redistribute and/or modify under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

All work, reference and usage, as reference or as a derivative work, including redistributions of text, code and images created by C. Enrique Ortiz and available in this website must retain the above attribution and Copyright notice.

Comments and opinions are my own, and do not necessarily represent the opinions of my employer, customers or others.

The following are registered trademarks of Sun Microsystems Inc.: Java, J2ME, J2EE, J2SE, Java ME, Java SE, Java EE, CLDC, CDC, MIDP, Java Card, and other related Java trademarks. All other registered trademarks are owned by their respective owners. This web site is not affiliated with Sun Microsystems Inc. or any other company.

C. Enrique Ortiz Mobility Resources

Technical Articles, Tips, and Opinions

The Security Gap in Wireless Mobility (Handsets)

About the Author

Enrique's Affiliations:

Other Mobility Sites

Terms of Use, Legal