Security and WAP Gateways

A Wireless Application Protocol (WAP) gateway serves as an intermediary, decrypting the user's SSL connection and re-encrypting the information to send it to the mobile device.


For maintaining protection for the data transfer channel, WAP relies on a protocol called WTLS (Wireless Transport Layer Security).

For desktop browsers, when you connect to a site using SSL/TLS, your browser automatically verifies that the domain part of the URL matches the domain in the X.509 certificate that the HTTPS server presents when you connect to it. SSL certificates are tamper evident because the cryptographic signature is checked against the root certificates of the major certificate authorities. This check assures that the requesting party is connected to the right host and helps protect you against attack from an intermediary.

Many WAP gateways do not perform this check or, if they do, do not pass information about mismatches back to the user.

Wireless carriers help provide some security between the wireless device and the base station and across the physical network connecting base stations and switching centers. But a carrier's security measures end with the network and do not provide end-to-end, cross-platform security for any wireless device. For example, WAP Internet access introduces a point of potential vulnerability where the Wireless Transport Layer Security (WTLS) (which helps to maintain a restricted connection between the mobile device and the WAP gateway) changes to an SSL connection between the WAP gateway and the Web server. Some corporations are moving to enterprise control of their gateways as a means of assuring that the gateways are trusted.

For more about security, see Securing Applications and the ASP.NET Web Application Security sections of the Windows Software Development Kit (SDK) documentation.

Community Additions