Security woes surface over Microsoft's Smartphone

Microsoft is telling users of its mobile applications that they can send confidential company information over wireless networks even though the technology they use isn't 100 per cent secure.

Microsoft's Smartphone 2002 - formerly known as Stinger - includes a multimode browser that supports both internet and wireless standards (HTML 3.2 and WAP 1.2.1), and includes the corresponding security standard SSL (Secure Socket Layer) and WTLS (Wireless Transport Layer Security).

The security architecture uses a two-stage process, with WTLS encrypting traffic from the handset to the WAP gateway. From the WAP gateway the traffic is encrypted with SSL.

However, whilst in the WAP gateway, the traffic is unencrypted and vulnerable to hacking. It is a problem that has been known about for years, and many banks with secure WAP applications keep their WAP gateways behind a firewall to reduce their vulnerability to this kind of attack.

Jose Lopez, security analyst at Frost and Sullivan, said: "Since cell phone operators want to have some control over the data flow, unlike other standards, the WAP standard forces data to be encrypted at the user level, decrypted at the operator level and then encrypted again."

A spokesman for Microsoft said: "Rather than inventing and implementing a new and proprietary security standard for the Smartphone browser, we instead support the existing internet and wireless standards."

However, few companies will want to implement any kind of WAP-based solution without an end-to-end security system, and buying their own WAP gateway is an expensive option few will find attractive. This leaves them with the choice of using an HTML browser or nothing at all.

Microsoft's spokesman added: "Microsoft is proposing that companies use the protocols, mark-up languages and security standards they are comfortable with. With the Smartphone browser, you can achieve the same level of security you have on regular desktop browsers."

It's difficult to tell, until Microsoft's Smartphone launches, whether an HTML-based browser application will be genuinely usable. Existing wireless HTML browsers, however, are extremely cumbersome, and with data downloads being charged by the megabit, they will be expensive.