Security for Mobile Commerce Applications

MARKO SCHUBA, KONRAD WRONA

Mobility Applications Lab
Ericsson Research
Ericsson Allee 1, 52134 Herzogenrath
GERMANY

Abstract: - This paper describes security mechanisms necessary to make mobile commerce applications
secure. An analysis of existing security functions in today’s mobile networks shows that a number of attacks
on these mechanisms are possible, which in the end could lead to fraudulent mobile commerce transactions
and loss of consumer trust into new mobile services. As an alternative a basic security architecture for mobile
networks is proposed, which eliminates the existing flaws and thus could build the basis for the development
of secure mobile commerce applications.

Key-Words: mobile commerce, applications, wireless networks, mobile networks, security, and cryptography

1 Introduction of the paper describes briefly the different, existing

Mobile commerce is seen as one of the enablers for mobile application environments. Section 3 deals
a large number of applications in future mobile with the security functions in those environments
networks. Obvious examples for such applications and discusses the shortcomings of these functions.
are those focussing on transactions, like mobile As an essential part of security in the online world
banking, brokerage, payment, retailing, ticketing or different forms of authentication and their
auctions. However, there exist also a large number vulnerability are compared in section 4. In section 5
or so-called infotainment applications, for example a basic security architecture overcoming the
music, video or gaming, which need some form of disadvantages described in the previous sections will
transaction e.g. to pay for the service. Although the be proposed. Section 6 finally gives some
transaction itself is only a minor part of the concluding remarks.
application, it is probably the most important part
for the content provider. Finally, there is the huge 2 Mobile application environments
number of business-to-business applications like During the last couple of years, a number of mobile
mobile supply chain integration, telemetry, customer application environments have emerged in different
relationship management, or fleet management, geographic areas of the world. Europe for instance
which also need some form of transaction. focuses on the Wireless Application Protocol
Authentication for accessing data or changing them (WAP), Japan is very successful with the i-mode
is crucial to make these applications secure. system, and North America offers a number of
As can be seen from the previous examples, security systems as well.
is an essential part of most mobile commerce
applications. However, security in mobile networks 2.1 WAP
differs fundamentally from the security in fixed The Wireless Application Protocol (WAP) is a
networks. This is partly due to the fact that security standard for the presentation and delivery of
in mobile networks is to a large extent controlled by wireless information and telephony services on
the operator. As a result, the security between the different mobile phones and wireless terminals [1],
user and a content or service provider is typically [2]. It also supports several mobile networks and
split into two domains, the operator acting as a different bearers. The Wireless Application Layer –
translator between mobile and fixed network. This which is one out of five layers in WAP - includes a
implies that both user and content provider have to micro browser environment based on the Wireless
trust the operator to handle data and transactions in a Markup Language (WML) and WMLScript. WML
secure way, a prerequisite, which is not always is a lightweight markup language and, similar to
given in ad-hoc relationships to unknown operators HTML, can be seen as an XML application. It is
(caused by roaming for example). intended for use in specifying content and user
This paper describes the drawbacks of existing interface for narrow-band devices. WMLScript is a
security architectures in mobile networks. Section 2 programming language based on standardized
European Computer Manufacturers Association 3.1 Belief in link layer security
(ECMA) Script. It is similar to JavaScript, but it has Most wireless networks were designed around the
been modified to better support low bandwidth assumption that wireless is a simple extension or
communication and thin clients. replacement to the wired network and therefore the
main goal was to secure the wireless link to be
2.2 i-mode equivalent to the “wired” one. This methodology is
The i-mode system is a proprietary system most clearly visible in wireless local area networks
developed by NTT DoCoMo in Japan [3]. The (WLAN) based on the 802.11 standard [7], where
transmission of data is packet-oriented with a data the security layer is even called Wire Equivalent
rate of 9600 bps. I-mode pages have to be defined in Privacy (WEP). The same approach has been used in
a markup language called compact HTML GSM [8], IS-41[9], PHS [10] and Bluetooth
(cHTML), which is actually a subset of HTML plus networks [11]. A number of successful attacks on
some additional i-mode tags. I-mode defines some these systems shows the vulnerability of the wireless
special characters (e.g. symbols for joy, love, link.
telephone etc) and supports still and animated color
pictures. Since the beginning of this year Java- 3.1.1 Attacks on the GSM security
enabled i-mode phones are available on the Japanese A number of attacks exist for the GSM system (see.
market. With these phones it is possible to download e.g. [12]). One of them uses the “weaknesses” in the
Java applets (called i-appli) from servers, e.g. for authentication protocols of GSM to determine the
games, agent type services or other applications. IMSI (international mobile subscriber identity).
The i-mode service is very popular in Japan. There Based on this information it is possible to signal to
were nearly 19 million registered i-mode customers the mobile phone that it should stop to encrypt the
beginning of February 2001. information sent between the phone and its base
station.
2.3 North American systems Another vulnerability of GMS is the fact that some
In the USA several different approaches concerning operators use radio links to connect their base
wireless access to the Internet have been station. Often, these links are not encrypted at all.
implemented, depending on the mobile devices Finally, there a number of attacks have been carried
being used. For mobile phones WAP and its out on the stream cipher algorithm of GSM, the A5
precedent phone.com’s Handheld Device Markup algorithm [13, 19].
Language dominate [4]. Nevertheless, NTT
DoCoMo following its unquestionable success with 3.1.2 Attacks on the Bluetooth systems
the i-mode service in Japan, is working actively on The flaw discovered in Bluetooth is related to the
spreading its service in this part of the world, too. key exchange protocol used by Bluetooth
For Palm OS devices Web Clippings is the most devices[18]. What is needed is a bugging device
common way to access web sites, but there are also within the coverage area of the Bluetooth devices.
freeware applications enabling WAP-based Internet Listening to the conversation the device is able to
access for these devices [5]. For Research-In-Motion obtain enough information to determine the
pagers, GoAmerica’s offer the GoWeb Internet encryption key used by these devices. With the
access service [6]. encryption key it is then an easy task to listen to the
complete conservation.
3 Security problems in wireless Other weaknesses of the Bluetooth system are
related to the stream cipher used and the generation
networks of the initialization key based on the PIN code.
Security architectures in the existing wireless
Moreover, it is possible to track users based on their
networks are influenced by two unfortunate factors:
Bluetooth device address [14].
• the belief in link layer security and
3.1.3 Attacks on the WLAN security
• the belief in two security domains. The Wired Equivalent Privacy (WEP) protocol of
These two circumstances, discussed in more detail the IEEE 802.11 standard for wireless local area
below, determine to a great extent what can be and networks (WLAN) implements mechanisms for
what cannot be done in the area of wireless confidentiality and integrity of the data to be
applications. exchanged wirelessly.
WEP uses the well-known RC4 stream cipher for
encryption, operating by expanding a short shared
secret key (40 to 104 bits in case of WEP) into a (i.e. operator). This trust is required for the
pseudo-random key stream. Packets integrity is following reasons:
ensured by using an Integrity Check field. To avoid
• None of the end parties (i.e. provider and user)
encrypting two packets with the same key stream, an
can be sure that the connection is really
Initialization Vector is used together with the shared
continued in a secure manner behind the
secret key in order to generate a different RC4 key
operator proxy.
for each packet. Unfortunately, both of these
measures are used incorrectly, resulting in security • The content of the connection is being decrypted
flaws. In particular, the following types of attacks and encrypted in the operator’s proxy, making it
are possible [17]: vulnerable to possible attacks by both "trusted"
• Decrypting traffic based on statistical analysis or operator or third parties (i.e. hackers). The end
on tricking the access point. parties have to trust the operator to ensure and
• Dictionary-building that allows real-time enforce an adequate security policy concerning
automated decryption of all traffic. both remote and physical access to the proxy
• Injecting new traffic from unauthorized mobile server and its premises.
stations. • No end-to-end authentication is possible.
All of these attacks are practical to mount using only
inexpensive off-the-shelf equipment. The predominant technology used on the provider-
operator link is the SSL protocol [16]. The way in
3.2 Belief in two security domains which messages, if at all, are secured on the link
In the past communication networks were built between mobile operator and mobile user depends
around a model of a user subscribing for a service on the mobile application environment and class of
provided by a particular operator. The charges have device being involved. For WAP, the Wireless
been billed to the user account on a monthly basis Transport Layer Security (WTLS) protocol is being
and it has been assumed that there exists a certain used. HDML uses a form of an encrypted Handheld
amount of trust between subscriber and Device Transport Protocol. I-mode offers no data
provider/operator. The operator was supposed to encryption between the mobile terminal and the
provide the subscriber with an honest list of charges operator’s proxy at all, though SSL can be used
(i.e. mainly connection related charges) and the user between the operator’s and the service provider’s
was expected to more or less timely and reliably pay domain. With i-appli it is possible to have an SSL
her bills. The user typically relied on the operator connection to the mobile device, but this is restricted
and law framework to ensure privacy and integrity to Java phones. GoAmerica, Palm and others
of her communication. Authentication was only a implement proprietary transport layer security
minor issue for voice services. protocols, mostly based on elliptic curve
This model is not necessarily true in the rapidly cryptosystems.
evolving mobile environment. Most new subscribers At least some level of end-to-end security can be
are pre-paid users, with a sort of an ad-hoc relation provided in WAP by using WMLScript with
to the operators. Also roaming situations force users cryptographic API. Currently, there is only one
to frequently access services from unknown network WMLScript cryptographic API function defined,
operators. The privacy policy and standards signText(), which provides users with an ability of
implemented by the respective operators are usually signing text messages. This can be used for simple
unknown to the users. user authentication and contract signing.
Despite all these uncertainties, all existing wireless Unfortunately, the WMLScript programs are sent
networks and wireless applications environments, through the operator’s gateway, so there is no
e.g. WAP, rely on a trusted operator-subscriber guarantee that it will not be skipped or modified on
domain. Only the rest of the world is not trusted. its way to the user. Even if the operator is a
This model, involving two separate security trustworthy entity, there are several ways of
domains, has important consequences for the impersonating e.g. a merchant server. Because WAP
implementation of secure mobile applications. The lacks higher layer server authentication a user has no
most important implication is that every secure way of authenticating the source of a signing
transaction involves three separate entities (i.e. request, which makes him vulnerable to classical
provider, operator and user) and thus requires both man-in-the-middle attacks. An attacker can
provider and user to trust the additional middleman masquerade as a legitimate server and request the
user to sign contracts/challenges, which then can be
used to authenticate some bogus transactions on
behalf of the user. In case of a simple password- variant requires either the MSISDN or the
based authentication, an attacker can generate a UserId/password provided by the subscriber as
WML-interface identical to the legitimate server part of the basic proxy authentication to be
pages and elude in this way the user to disclose her correct.
password or authentication information, which can
• MSISDN and basic proxy authentication: This
be used for authentication in subsequent
variant requires both the MSISDN and the
transactions.
UserId/password to be correct in order to allow
Some application developers rely on building
access to the WAP services.
custom applications in order to provide security
through additional authentication handshakes etc., Authentication can be performed either towards a
but this would require support by the phone which database in the WAP Gateway or towards an
cannot be expected – at least in the mass market – external database by using LDAP. Authentication is
for the next couple of years. A simpler approach, only performed at session set-up. If authentication
which would offer application layer security with fails the subscriber is blocked.
existing WAP devices, is to implement basic The authentication scheme depends on WAP stack
cryptographic functionality with WMLScript configuration, i.e. connection-less with and without
arithmetic operations. This is important - especially WTLS or connection-oriented with and without
in the short-term - since most of the WAP terminals WTLS.
available today belong to the so-called WTLS class The WAP Gateway is capable of forwarding user
0 terminals, which literally means that they do not information to application servers. This makes it
implement WTLS at all and thus provide no possible for application servers to present
transport layer security. However, a drawback of personalized services without having to prompt the
this approach is the possibility of man-in-the-middle subscriber for authentication/identification.
attacks like in the signText() case, because neither If the function is activated the available user
server nor content authentication exists with this information is forwarded according to the following:
kind of terminals.
1. Trusted servers: user information is sent in clear
text.
4 Authentication of the mobile user in
2. Semi-trusted servers: user information is sent
WAP encrypted.
As the previous section has shown, authentication is
a fundamental part for security in mobile commerce 3. Non-trusted servers: user information is not sent.
applications. The most common authentication When user information is forwarded to application
mechanisms used or planned for mobile WAP servers it is sent as cookies in the HTTP header
handsets are discussed below. field. The following format is used to identify the
cookies:
4.1 Weak authentication
Weak authentication of a mobile user can be • Cookie: User-Identity-Forward-msisdn=msisdn
achieved by forwarding the user’s authentication • Cookie: User-Identity-Forward-userid=userid
information from the WAP Gateway to an
application server (e.g. an online shop). • Cookie: Ip-Address=ip-address
There are several ways of performing authentication Only available information that is available is sent
in the WAP Gateway: (i.e. no blank strings are sent).
• No authentication: The WAP Gateway does not
authenticate the subscribers of the WAP 4.2 Client ID authentication
services. The WAP Forum is currently working on the
concept of Client IDs, which could be sent to the
• Basic proxy authentication: The WAP Gateway application server beyond the WAP gateway.
uses the HTTP Proxy-Authorization header with Depending on the server’s capabilities the Client ID
the correct UserId and password in all requests. is either transported as a WTLS layer parameter or
• MSISDN (Mobile Station ISDN Number): In as user name of the WSP (Wireless Session
this case authentication is performed based on Protocol) proxy authentication. A major drawback
the subscriber’s MSISDN. of this approach is the exposure of a unique user’s
terminal ID to external servers, which might cause a
• MSISDN or basic proxy authentication: This lot of privacy concerns. It is also rather unlikely that
a Client ID would be authenticated in any form. client to encrypt a challenge/PIN used thereafter for
Therefore its usefulness for user authentication via authorizing a completely different and fraudulent
more than one domain is rather questionable. transaction.

4.3 signText authentication 4.5 SIM Application Toolkit

The signText() function from the WMLScript authentication
Crypto Library can be used for challenge-based This solution provides digital signatures or MACs
user’s authentication. In such a scenario a server (Message Authentication Codes) to be generated at
sends a text challenge to the user. Such a challenge the client based on the SIM Application Toolkit
should be a one time random number, in order to (SAT) technology. Using this technology an end
guard against replay attacks. However, signText user can browse using a WAP device and when the
currently requires the WAP client to present a server content provider requires a contract to be digitally
defined text to the user. Using a challenge as text signed, it is delivered using SMS to an application in
would result in a meaningless string of bytes shown the SIM card of the mobile terminal. The end user
to the user. On the other hand, adding any meaning accepts the contract and it is digitally signed in the
or structure to the challenge would reduce its SIM, thereby providing end-to-end security.
entropy and thus also enable the application of Typically such a solution provides two security
cryptoanalysis to the signature and thus to the user’s features: end-to-end WPKI RSA SAT security and
private key. end-to-end symmetric 3DES SAT security.
A second problem with use of signText for 4.6 Signed content authentication
challenge-based authentication is the lack of server In the recent months there has been a discussion
authentication. This enables man-in-the-middle about inclusion of signed content into the WAP
attacks, where a malicious server can try to force a specification. Signed content can provide integrity,
WAP client to sign a challenge used thereafter for message authentication and identification of the
authorizing a completely different, and fraudulent, content signer at the same time. However, signed
transaction. content only makes sense if the operator is removed
Another form of man-in-the-middle attack is a from the man-in-the-middle role. Therefore, it has to
WML application with a user interface similar or be ensured that a WAP Gateway does not modify
identical to the signText() user interface. Thus, the the signed content on its way from the origin server
user may be cheated to pass her local non- to the WAP client.
repudiation PIN, which has to be entered for the Signed content could not only be used for
signature, to the attacker. authentication purposes, but also to transport
A last and less dangerous attack may be performed WMLScripts for further cryptographic operations, as
in the same way with the goal to make the user discussed in section 3.2. Such a script, which cannot
believe to sign something, without signing anything be altered by a third party, would allow for example
at all. application layer encryption between the terminal
Integrating authentication of the server and its and the content server.
challenge can solve the last three problems.
5 A basic security architecture for
4.4 encryptAndEnvelopeText
authentication mobile commerce applications
According to the previously discussed problems, a
The function encryptAndEnvelopeText requests a
good security architecture for wireless systems
client to encrypt (and envelope) a text string. The
would consist of the following parts, described in
encryption takes place using a symmetric encryption
more detail below:
algorithm with a key generated by the client. This
content encryption key is transported to the recipient • end-to-end security,
after being encrypted with the recipient’s public key. • basic crypto API ,
The recipient’s public key is sent to the client as part • downloadable authenticated content,
of the function. • personal trusted device environment,
The problems with authentication based on the • trust management infrastructure (e.g. public key
encryptAndEnvelopeText() are similar to those infrastructure), and
encountered with signText(). The lack of server • simple and consistent user interface.
authentication enables man-in-the-middle attacks, The fundamental prerequisite for secure mobile
where a malicious server could try to force a WAP commerce applications is end-to-end security, i.e.
the removal of the mobile network operator as man- mobile networks. Some of them are related to link
in-the-middle. The end-to-end functionality includes layer security, others are based on the fact that the
both data confidentiality/integrity as well as mutual security in today’s mobile networks is to a large
authentication of parties involved in the commerce extent controlled by the mobile network operators.
transaction. Neither of this can be achieved in the Looking at different methods for authentication of
reasonably secure way when deploying existing two- the parties involved in mobile commerce revealed
domains security models. In particular, in order to the problems with respect to authentication. As a
support end-to-end security it should be possible to result, both consumer and content provider have to
transport data transparently from the mobile device trust the operator to act honestly.
through the operator network to the content server In order to overcome the security limitations of
and vice versa. existing systems, a basic security architecture for
mobile commerce applications has been proposed.
Also it is important to provide a generic
Using such an architecture it should be possible to
cryptographic functionality as a part of the terminal
secure mobile commerce transactions end-to-end
functionality, which can be accessed from the
and thus reduce the possibility of fraud.
application layer. Basic cryptographic algorithms
like AES or SHA-1 would be nice to have there. The
References:
more specialized functions required by particular
[1] Wireless Application Protocol Architecture
mobile commerce applications could also be realized
Specification - Version 30. April 2000, available
through script implementation and downloaded to
online at: http://www.wapforum.org.
the terminal in an authenticated way, i.e. using
[2] More information available at
signed content as described in section 4.6.
http://www.wapforum.org/.
Virtually every electronic commerce transaction [3] More information available at
requires user to perform some kind of a secret-based http://www.nttdocomo.com/.
operation (e.g. cryptogram or digital signature [4] More information available at
generation) or to reveal confidential information http://www.phone.com/.
(e.g. credit card number or password). Therefore, a [5] More information available at
mobile terminal should be equipped with a tamper- http://www.palm.com/.
resistant storage and mechanisms enabling access [6] More information available at
control and authenticated modifications and access http://www.goamerica.com/.
control of its content. [7] 8802-11:1999 (ISO/IEC) IEEE Standard for
Additionally, a public key infrastructure (PKI) for Information Technology - Telecommunications
parties and content authentication has to be and information exchange between systems -
established. The efficient functionality for certificate LAN/MAN - Specific requirements - Part 11:
management (e.g. requesting and revoking), Wireless LAN Medium Access Control (MAC)
distributions and validation has to be available at the and Physical Layer (PHY) specifications 1999.
application layer. [8] M. Mouly, M.-B. Pautet, The GSM System for
Mobile Communications,. published by the
At last but not least, mobile commerce applications authors, 1992.
should provide a consistent user interface, enabling [9] M. D. Gallagher, R. A. Snyder, Mobile
easy access to the security functions and intuitive Telecommunications Networking With IS-41,
information about security level available for the McGraw-Hill Series on Telecommunications,
particular transaction. It is important to guard user 1997.
against attackers imitating the service and dialog [10] W. H. W. Tuttlebee, Cordless
interface of a legitimate commerce partner, e.g. Telecommunications Worldwide: The Evolution
mobile banking server. The restricted capabilities of of Unlicensed PCS, Springer, 1997.
user interface in mobile devices make such imitation [11] Specification of the Bluetooth System -
attacks even easier in the mobile environment then Version 1.1, February 2001, available online at:
in Internet, were they were successfully deployed http://www.bluetooth.com.
during the last few years. [12] H. Federrath, Protection in Mobile
Communications, in: G. Müller, K. Rannenberg
6 Conclusions (Eds.): Multilateral Security in Communications,
This paper described the problems related to security Addison-Wesley-Longamen, 1999, pp. 349-364.
in the context of mobile commerce applications. [13] J. D. Golic, Cryptanalysis of Alleged A5
There are a number of security flaws in the area of Stream Cipher, in Advances in Cryptology --
 EUROCRYPT ' 97, Proceedings of International
Conference on the Theory and Application of
Cryptographic Techniques, Walter Fumy (Ed.),
Springer, 1997, pp. 239-255.
[14] J. T. Vainio, Bluetooth Security, Dept. of
Computer Science and Engineering, Helsinki
University of Technology, 2000. Available
online at:
http://www.niksula.cs.hut.fi/~jiitv/bluesec.html.
[15] S. Uskela, Security in Wireless Local Area
Networks, Dept. of Electrical and
Communications Engineering, Helsinki
University of Technology, 1997. Available
online at: http://www.tml.hut.fi/Opinnot/Tik-
110.501/1997/wireless_lan.html.
[16] A. O. Freier, P. Karlton, P. C. Kocher, The SSL
Protocol - Version 3.0, Internet Draft, March
1996. Available online at:
http://home.netscape.com/eng/ssl3/ssl-toc.html.
[17] N. Borisov, I. Goldberg, D. Wagner,
Intercepting Mobile Communications: The
Insecurity of 802.11, draft, February 2001,
Available online at:
http://www.isaac.cs.berkeley.edu
[18] M. Jakobsson, S. Wetzel, Security Weaknesses
in Bluetooth, January 2001, Available online at:
www.research.bell-labs.com
[19] A. Biryukov, A. Shamir, Real Time
Cryptoanalysis of the Alleged A5/1 on a PC,
December 1999