1. Software Security & Privacy Risks in Mobile E-Commerce Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols

2. Contents Introduction New Security & Privacy Risks Addressing the Software Risks Platform Risks Software Application Risks WML Script Security Risks of WML Script Conclusion

3. Introduction M-Commerce : E-Commerce obtained by Accessing the internet through the wireless devices. Major Applications of M-Commerce : Weather Reports,Sport Scores,Flight Info., Navigational Maps,Stock Quotes,email etc. According to Strategy Analytics by 2004, over 1 billion wireless device users, 600 million wireless internet subscribers and a $200 billion mobile e- commerce market is expected.

4. Introduction(Cont..) Because of such anticipated growth, new security and privacy risks abound in M-Commerce. Integrating Security and privacy into the M- Commerce applications would give a projected $25 billion market. On the other hand if Security is not properly met than it would cause to significantly dampen the consumer adoption rates.

5. New Security & Privacy Risks New hazards In wireless devices due to their mobility & communication medium. A single malicious domain could potentially compromise wireless devices through malicious downloads or simple denial of service. Rather than an attacker needing to pursue a target, targets can come to attackers in wireless networks by simply roaming through the attackers zone.

6. New Security & Privacy Risks(Cont..) Most Vendors implementations of the SSL or WTLS do not reauthenticate or recheck certificates once a connection is established. Simply Refreshing a browser to re-establish a connection may inadvertently introduce risks by redirection of the URL. Example a hacker can compromise the closest DNS server that routes a clients web request from a site X and redirect it to the hackers site.

7. New Security & Privacy Risks(Cont..) Attacks from the wireless devices would become easy. Another risk unique to mobile devices is the risk of loss or theft. Tracking of users by on-line web usage via Cookies,could lead to loss of privacy. Size &Time limitations make it more unlikely that a user would go through the privacy policies of a web site.

8. Addressing the Software Risks Security risks of wireless devices must be carefully analyzed and addressed. WAP gap wireless requests to web pages are translated at the WAP gateway from the WTLS protocol to SSL protocol, widely used in HTTP requests. If an attacker compromises the WAP gateway, could capture data when decryption is done. WAP gap problem Solved by simple modifications to existing protocols.

9. Platform Risks Platform or the Operating system The basic infrastructure for running M-Commerce application. Without a secure infrastructure on the device, it is not possible to attain secure M-Commerce. Present Scenario Many manufacturers do not provide with all the necessary requirements.

10. Platform Risks(Cont..) Many Manufacturers have failed to provide: Memory protection for processes Protected Kernel Rings File Access Control Authentication of principals to resources Differentiated User & process privileges Sandboxes for untrusted code etc. Due to lack of these features the platform becomes vulnerable to attacks.

11. Platform Risks(Cont..) To address these platform risks,the wireless device platforms need to : Enforce memory protection b/w applications. Strong Authentication mechanisms such as fingerprints recognition systems should be built into the devices. Software certificates should be used to authenticate software to the user before installing on the device.

12. Software Application Risks Low level languages In handheld devices cause the continuation of basic flaws like Buffer overflow etc. Application developers may forgo security features like encryption etc Due to Limited power, lack of Processing cycles, memory and bandwidth of the devices To increase online performance. Interesting software development The ability to send & execute mobile code. WML script is used to overcome software application risks.

13. WML Script The WAP equivalent of Java Script. It is used basically to provide a uniform interface to wireless applications. It is used to provide functions independent of the device brand. Achieving Interface functionality & Compatibility uniform for different phones regardless of the brand can be done by the development of WML Script Interpreter.

14. Security Risks of WML Script The security risks associated with WML Script are based on a fundamental lack of a model for secure computation. WML Script not a type-safe language. Without owners knowledge it can be pushed to a device by scheduled pulls from web pages or other WML Scripts. To achieve efficiency,it is compiled into a WML script bytecode downloaded by the client and run on a WML script virtual machine.

15. Security Risks of WML Script(Cont..) WML Script provides access to telephony functions through the WTAI. Access to a phones telephony facilities allows online service providers to : Accept/Initiate calls Send/Receive text messages Add/Search/Remove phonebook entries. Examine call logs Send tones during calls etc. To prevent this Permission functions through WTAI should be created.

16. Conclusion The Goal here was to highlight Key Security & Privacy Risks already apparent in these devices. The Platforms & Languages being developed for wireless devices have failed to adopt fundamental security concepts on Desktop machines. Encrypted Communication protocols are necessary to provide Confidentiality,Integrity and Authentication services for M-Commerce Applications. The best strategy for addressing security would be to implement it on Platform & Applications themselves, rather than to introduce security patches afterwards.

17. References Technical Paper on Software security & privacy risks in mobile E-Commerce By Anup K.Ghosh Tara M.Swaminatha www.wapforum.org