Application-Level Security
With so much attention given to the WAP gap and transport-level security, developers often forget about application-level security altogether. Application-level security is important for two main reasons: (1) when security is required past the endpoints of transport-level security, and (2) when presentation content needs to be accessed but enterprise data does not. This can happen during transcoding, that is, when another markup language (often HTML) is being transformed into WML.
The first scenario can be addressed using the techniques provided in the WML specification. In general, the default settings are set to the highest security, but the following are a few things to keep an eye on:
- Any WML card that requests access to sensitive data should set sendreferer=true in the <go> element.
- The script that handles requests for sensitive information should check the URL specified by the REFERER header HTTP request to make sure that requests being handled are from friendly domains.
- Use HTTPS and require basic authentication. Relying on the phone's identity alone is not sufficient.
The second scenario can be addressed using WMLScript and the Crypto API. Using this signText function in the API, digital signatures can be created, opening the door for wireless PKI to manage and issue public key certificates. This technology allows for end-to-end encryption between the content provider (usually the enterprise) and the client.
In this tutorial:
- Mobile and Wireless Security
- Security Primer
- Networking Security Threats
- Security Technologies
- Algorithms and Protocols
- Leading Protocols
- Transport Layer Security (TLS)
- Other Security Measures
- Virtual Private Networks (VPNs)
- WAP Security
- Transport-Level Security
- The WAP Gap
- Application-Level Security
- Smart Client Security
- Data Store Security