At the moment I am testing a mobile asp.net page which seems to work fine. Although there are some issues which make me scratch my head from time to time, they deserve their own posts.
The problem at hand is to choose an architecture for a mobile system that will be used to transfer very sensitive data (like credit card numbers) over ssl. The level of security that is requires is not different from an ordinary browser app which means https,
usual stuff.
when it comes down to mobile browsers, things get a little bit complicated. First of all there is the issue of wap gateways. There are three or more mobile operators who provide services to users and a user can be getting his/her services from any of these.
So if I am not mistaken, operators may choose to use a wap gateway for xhtml /chtml communication, which means that any information between our asp.net server and mobile phone may be subject to decryption in a wap gateway. At the moment the asp.net mobile
web page is forced to generate xhtml no matter what the client is, but does this mean that there is no wap gateway in the middle during the communication between phone and asp.net server?
The existance of wap gateway makes the security issue a problem, since we have to trust the mobile operator who will be a man in the middle between phone browser and our asp.net server. Is there a way to check if there is a wap gateway in the communication
from the server side?
In case mobile shopping over cell phones are considered, what kind of reference architectures can be recommended? (if any exists) so that the users will have minimum hassle. for example we can setup a wap gateway (if it is a must for xhtml over gprs, which
I am not sure) but that'd mean the uses would have to setup their phones to our wap gateway, which is a clear inconvience.
sarikan
0 Points
3 Posts
Architecture question about wap gateways and security
Jun 28, 2007 11:51 AM|LINK
Hi,
At the moment I am testing a mobile asp.net page which seems to work fine. Although there are some issues which make me scratch my head from time to time, they deserve their own posts.
The problem at hand is to choose an architecture for a mobile system that will be used to transfer very sensitive data (like credit card numbers) over ssl. The level of security that is requires is not different from an ordinary browser app which means https, usual stuff.
when it comes down to mobile browsers, things get a little bit complicated. First of all there is the issue of wap gateways. There are three or more mobile operators who provide services to users and a user can be getting his/her services from any of these. So if I am not mistaken, operators may choose to use a wap gateway for xhtml /chtml communication, which means that any information between our asp.net server and mobile phone may be subject to decryption in a wap gateway. At the moment the asp.net mobile web page is forced to generate xhtml no matter what the client is, but does this mean that there is no wap gateway in the middle during the communication between phone and asp.net server?
The existance of wap gateway makes the security issue a problem, since we have to trust the mobile operator who will be a man in the middle between phone browser and our asp.net server. Is there a way to check if there is a wap gateway in the communication from the server side?
In case mobile shopping over cell phones are considered, what kind of reference architectures can be recommended? (if any exists) so that the users will have minimum hassle. for example we can setup a wap gateway (if it is a must for xhtml over gprs, which I am not sure) but that'd mean the uses would have to setup their phones to our wap gateway, which is a clear inconvience.
Any help would be appreciated a lot
Best Regards
Seref Arikan