The Wireless Application Protocol (WAP) was once hailed as the ultimate mobile Internet solution that would revolutionize how we use the Internet and mobile phones. As you may already know, it didn't. What is to blame? Is it bad technology, wrong time, or greedy network operators? Actually, is there a reason to blame anyone? This article introduces WAP with its related technologies and tries to answer these questions. Although WAP is available on a variety of wireless mobile networks, such as those employing Code Division Multiple Access (CDMA) IS-95, Time Division Multiple Access (TDMA) IS-136, International Mobile Telecommunications (IMT-2000), Universal Mobile Telecommunication System (UMTS), and Wideband Code Division Multiple Access (W-CDMA), in addition to GSM/GPRS this article covers WAP over GSM/GPRS networks only.
A Case for WAP
Before looking at WAP itself, let's first recall what sparked its idea and development. As we all know, most if not all second-generation (2G) mobile phones and networks suffer from numerous limitations that make it impossible or impractical to use standard Internet protocols and technologies on today's mobile phones. The most visible of these limitations include the following:
|Low bandwidth (usually 9.6 kbps)|
|High network latency|
|Small, mostly monochrome displays|
All these limitations meant that it was necessary to develop an alternative suite of protocols and technologies that would work on these mobiles phones but still provide functionality comparable to the standard Internet technologies used on wired networks and desktops. WAP was developed to address these issues .
WAP Forum and Open Mobile Alliance
The WAP Forum is the industry organization behind WAP and its associated protocols and technologies. In 2002, the WAP Forum and the Open Mobile Architecture Initiative merged, creating the Open Mobile Alliance (OMA), which will continue work on WAP 2 and develop new mobile and wireless solutions. Nearly 200 of the world's top network operators, vendors, and content providers are members of the Open Mobile Alliance . Other organizations such as the Location Interoperability Forum (LIF) , Multimedia Messaging (MMS) Interoperability Group (MMS-IOP) , SyncML Initiative , and Wireless Village Initiative  have announced their support for the new organization.
Global System for Mobile Communications
GSM, or Global System for Mobile Communications , is used by more than 700 million people across 190 countries . In less than ten years after its introduction, GSM became the most popular and widely used digital mobile wireless communications standard in the world. GSM networks use TDMA technology and are fully digital, employing a unique voice codec known as GSM codec to provide relatively good voice quality using narrow bandwidth (usually 9.6 kbps). However, GSM is not as secure as many may think. Although it does use encryption and smartcard technology, this didn't result in strong security. As a result, it is possible to intercept and decrypt GSM communications, fake short text messages (Short Message Service [SMS]), and clone Subscriber Identification Modules (SIMs), miniature smartcards used to identify subscribers to the GSM network. GSM security is not the subject of this article, but it deserves attention and I hope to cover it in a separate article in this journal.
Wireless Application Environment
Before proceeding further, we should clarify one point. The term "WAP" is usually used to refer to the entire suite of protocols and technologies that are actually called the Wireless Application Environment (WAE) . However, "WAP" is used everywhere to refer to WAE (which includes WAP). Because WAP is the commonly used term, we shall continue to use it as well.
Wireless Application Protocol
WAP protocols were expected to satisfy the following criteria in order to implement the objectives set by the WAP Forum:
|Independent of wireless network standard (bearer technology)|
|Open to all|
|Will be proposed to the appropriate standards bodies|
|Applications scale across transport options|
|Applications scale across device types|
|Extensible to new networks and transports|
The objectives of the WAP as defined by the WAP Forum follow:
|To bring Internet content and advanced data services to digital cellular phones and other wireless terminals|
|To create a global wireless protocol specification that will work across differing wireless network technologies|
|To enable the creation of content and applications that scale across a very wide range of bearer networks and device types|
|To embrace and extend existing standards and technology wherever appropriate|
Two major versions of WAP existVersions 1 and 2. WAP Version 2 is backward compatible with WAP Version 1 and tends to be more integrated with the newest Internet and Web standards than WAP 1. Although WAP uses many technologies and concepts from the Internet and Web worlds, because of their inherent limitations, WAP devices are unable to directly access Web resources on the Internet . To do so, they must use a WAP gateway. The following table shows the relationship between the WAP client device, WAP gateway, and Web servers on the Internet, with their protocol layers side by side:
|Web Client||WAP Gateway||Web Server|
The table shows that the main function of the WAP gateway is to translate between WAP and Web/Internet protocols, conventions, and encodings. In some cases the WAP gateway and the Web server may be the same system, eliminating the need for a separate WAP gateway and possibly improving performancehowever, for this setup to work the combined WAP/Web server has to be integrated into the mobile/wireless network provider's infrastructure. In practice, network operators provide the WAP gateway services and content providers offer WAP content on separate Web servers configured for WAP access (any standards-compliant Web server can do this).
Wireless Session Protocol
The Wireless Session Protocol (WSP) is the WAP session-layer protocol for remote operations between a wireless (WAP) client and proxies, gateways, and servers . It functions above the Wireless Transaction Protocol (WTP) and the Wireless Datagram Protocol (WDP), and optionally, the Wireless Transport Layer Security (WTLS). The WSP provides a way for an organized exchange of data between client/server applications in a wireless environment. It provides such features as establishment and release of sessions between client and server; agreement on common functionality by way of negotiation; and exchange of data between client and server using compact encoding. WSP defines two subprotocolsa connection-oriented session service protocol over WTP and a connectionless service protocol over the WDP.
Wireless Transaction Protocol
WTP runs on top of the WDP and optionally, the WTLS protocol, and provides the request/response protocol used by WAP browsers to request and receive content . WTP is a reliable transaction-oriented protocol specially designed for wireless networksin WTP there are no connection setup or release phases.
Reliability in WTP is achieved using transaction IDs, retransmissions, acknowledgments, and removal of duplicates.
Wireless Datagram Protocol
WDP is the transport protocol of WAP . It operates directly above the bearer technology (such as GSM CSD or GPRS) and directly below WTP described previously. WDP provides a consistent, bearer-independent interface for the upper-level protocols to the transport service provided by WDP. In addition to the GSM Circuit Switched Data (CSD) and the General Packet Radio Service (GPRS), WDP supports the following wireless bearer technologies:
|GSM SMS||IDEN Packet Data|
|GSM Cell Broadcast||REFLEX|
|CDMA CSD||TETRA Short Data Service|
|CDMA Packet Data||TETRA Packed Data|
|CDMA SMS||DECT SMS|
|PDC Circut Switched Data||DECT Connection-oriented Service|
|PDC CSD||DECT Packed Switched Service|
|PDC Pacet Data||Mobitex|
When used over GSM CSD, WDP actually uses the User Datagram Protocol (UDP) in the following way:
Layer 4: UDPWhen used over the GPRS, PPP at Layer 2 is not necessary, because GPRS works at Layers 1 and 2:
Layer 3: Internet Protocol (IP)
Layer 2: Point-to-Point Protocol (PPP)
Layer 1: GSM CSD
Layer 4: UDPIn all cases when IP is supported over a given bearer, UDP is used by WDPactually, UDP is the WDP in these cases.
Layer 3: IP
Layers 1 and 2: GSM and GPRS
Wireless Control Message Protocol
Not surprisingly, Wireless Control Message Protocol (WCMP) resembles and corresponds to the Internet Control Message Protocol (ICMP) of TCP/IP networks . WCMP is used by WDP nodes to report errors and provide network information and diagnostics. However, WCMP is not necessary and is not used with bearers that support IPthe function of WCMP in these circumstances is carried out by ICMP. In particular, this is the case with GSM CSD and GPRS bearers.
Wireless Transport Layer Security
WTLS is the transport layer security protocol of the WAE that provides privacy, integrity, and authentication services . It is heavily influenced by the Transport Level Security (TLS) protocol Version 1 and includes additional support for optimized handshake, connectionless transport, and dynamic key refresh. WTLS, like other WAP protocols, is optimized for low-bandwidth, high-latency wireless networks and supports server and client certificates for mutual authentication. WTLS includes the following three subprotocols:
The following cryptographic algorithms are used by the Wireless TLS protocol:
|Elliptic Curve Diffie-Hellman (EC-DH)|
|Elliptic Curve DSA (EC-DSA)|
WTLS is tightly linked to and works in conjunction with the Wireless Public Key Infrastructure (WPKI).
Wireless Public Key Infrastructure
WPKI tries to reuse the existing Public Key Infrastructure (PKI) standards as much as practical to provide an adequate PKI framework for the WAE. Both X.509 and WTLS certificates can be used by WTLS .
Wireless Markup Language Version 1
The Wireless Markup Language (WML) Version 1  is used in WAP/ WAE 1 and supported in WAE 2. Unlike usual HTML, it is a strict application of the Extensible Markup Language (XML), specially designed for use on narrowband devices. Also unlike HTML, WML has a metaphor of decks and cards . A deck contains one or more cards, and cards in turn contain one or more screens of user interaction. This metaphor helps increase efficiency on low-speed, high-latency wireless networks by bundling several screens into a single WML file (deck). WML supports all basic text display options, such as italic , boldface , and underlined text, as well as inter-card and inter-deck navigation using hyperlinks. The most apparent difference between HTML and WML noted by HTML developers is the fact that WML is a strict markup language and does not tolerate even seemingly little errorsan incorrectly written WML file will not display at all. Some would say this is an overkill but it is notthis feature of WML is important because compiled versions of WML files are sent to WAP clients by the WAP gateway instead of the source WML text files. This compiled bytecode is known as WMLC, and it considerably lessens the time it takes to download a WML document.
WML Version 2
WML version 2 is based on XHTML Basic with additional modules for support of features specific to wireless devicesthis extended XHTML is called XHTML Mobile Profile (XHTML-MP) . WML Version 2 is backward compatible with WML Version 1, so devices able to display WML 2 will also display WML 1 content. Use of XHTML shows that WAP in Version 2 is moving toward even closer integration with Internet and Web standards.
The Wireless Bitmaps (WBMP) file format (.wbmp) is used by WAP devices to transmit and display small and simple monochrome bitmap images .
CSD is the traditional data service provided by GSM networks. Also known as a data call service , it provides either a 9.6- or 14.4-kbps dialup facility and is supported by all GSM networks. Data calls are possible both from and to a GSM network. When used as a bearer for WAP, it serves at the physical layer of the Open System Interconnection (OSI) model, with PPP used in the usual way.
High-Speed Circuit Switched Data
The High-Speed Circuit Switched Data (HSCSD) service is similar in nature to CSD, but provides 28.8 or 43.2 kbps of bandwidth. It is not as widespread as the regular CSD, nor it is as asked-for as GPRS.
General Packet Radio Service
GPRS is an always-on, higher-speed alternative to the CSD service of GSM networks. It solves two of the most annoying issues of GSM data usersconnection delay (the time it takes to set up a data call before data may be sent or received) and the bandwidth limitation, increasing the supported data rates to 48 kbps, with theoretical maximum of 171.2 kbps. Because GPRS is a connectionless packet service, GPRS terminals are always connected and may send and receive IP packets at any time. This makes possible applications such as instant messaging previously impossible or impractical with GSM CSD. Eight time slots are available for GPRS in GSM networks, but only five may be used simultaneously. The GPRS class supported by the GPRS terminal dictates what data rates are possible:
|Class 2:||Uplink 8-12 kbps, downlink 16-24 kbps|
|Class 4:||Uplink 8-12 kbps, downlink 24-36 kbps|
Uplink 16-24 kbps, downlink 24-36 kbps, or
Uplink 24-36 kbps, downlink 16-24 kbps
|Class 8;||Uplink 8-12 kbps, downlink 32-40 kbps|
Uplink 8-12 kbps, downlink 32-48 kbps, or
Uplink 16-24 kbps, downlink 24-36 kbps
Uplink 8-12 kbps, downlink 32-48 kbps, or
Uplink 16-24 kbps, downlink 24-36 kbps, or
Uplink 24-36 kbps, downlink 16-24 kbps, or
Uplink 32-48 kbps, downlink 8-12 kbps
In addition to the classes of GPRS service, there are three classes of GPRS terminals:
|Class A terminals can be connected to GSM and GPRS services simultaneously.|
|Class B terminals can be connected to both GSM and GPRS services, but can use only one service at a time.|
|Class C terminals can be connected to either GSM or GPRS services but the user has to switch between two modes of operation.|
When used as a bearer for WAP, GPRS works at the physical and data link layers of the OSI reference model. Because GPRS is connectionless and always on, there is no need for PPPso IP works directly over GPRS.
So Why Aren't We Happy with WAP?
Many surveys of customer opinion show that the end users of WAP are not as happy as WAP developers and content providers wanted them to be. WAP service and content providers discovered that sign-up and usage rates of WAP services have not reached two-thirds of the total customer base once predicted. In short, WAP didn't change the world, and people still use their mobile phones mainly to talk to each other and send a text message or two. If you have used WAP, you probably know the reasons: the data transfer rate is slow, screens are small, charges are high, and it is tiring to type even a short URL or an e-mail message using the ten keys of a phone.
But wait a momentare these limitations of WAP or the handsets and networks they use? Remember, WAP was required to work on devices with many limitations? So it does. Is WAP to blame that these devices have these limitations? No, that wouldn't be just. But of course it is not only the today's technology restrictions that stood in the way of the widespread usage and popularity of WAP. Scarcity of WAP content and services also contributed to this. Relatively high charges for WAP/data usage by network operators didn't help either, so the combination of these issues resulted in the situation we have todaymost networks support WAP but most users don't use it anyway.
Is the technology dead, as some think? Definitely notthere are millions of WAP handsets and most wireless users will not have 3G for the foreseeable future because of both technical and economic issues, so the only available solution for these users is WAP. On the other side, 3G networks and handsets are coming and will be upon us sooner or later (they are already available in some countries), and only time will show whether tomorrow's WAP will be more popular or less relevant when 3G finally arrives. And, of course, fundamental limits of mobile phonesscreen sizes, power consumption, and input methodswill still remain relevant. Other issues, such as the time it takes to set up a CSD connection, are solved by newer technologies such as GPRS, and are not really faults of WAP. You may say that if GRPS is available why would you need WAP? Why not run trusted IP? Well, this is true if you are using GPRS with a laptop or a palmtop computer, but a large majority of mobile phones don't have the resources necessary to run IP, UDP, TCP, HTTP/HTTPS, POP, and SMTPso even if GPRS is available but your equipment cannot run the full TCP/IP suite, your only choice is still WAP.
Although WAP is clearly not as popular as its proponents and developers hoped, it is still used and developed, and handsets that support only WAP are still sold. But the hype and excitement built up by the media and the industry didn't match the reality, and it is these unrealistic expectations that have broken the promise of WAP.
|DataTAC:||Motorola wireless data system|
|DECT:||Digital Enhanced Cordless Technology|
|DES:||Data Encryption Standard|
|DSA:||Digital Signature Algorithm|
|FLEX:||Motorola one-way paging system|
|IDEA:||International Data Encryption Algorithm|
|IDEN:||Integrated Dispatch Enhanced Network|
|MD5:||Messege Digest 5|
|PDC:||Pacific Digital Cellular System|
|RC5:||Rivest Cipher 5|
|REFLEX:||Motorola two-way paging system|
|SHA-1:||Secure Hash Algorithm 1|
TErrestrial Trunked Radio
Nokia open digital professional mobile radio standard
|USSD:||Unstructured Supplementary Service Data|
For Further Reading
 Global System for Mobile Communications (GSM): http://www.gsmworld.com
EDGAR DANIELYAN, CISSP, CCNP Security, CCDP®, SCNA, TICSA, CIWCI Security is the principal partner at Danielyan Consulting LLP , an information security consultancy in London and Yerevan. He is a published author and editor specialising in UNIX, networking, and information security, having been a cofounder of a national ISP and manager of a country TLD. His book, Solaris 8 Security , was published by New Riders Publishing in English and by Pearson Education in Japanese. He is a member of IEEE, IEEE Standards Association, IEEE Computer Society, ACM, ISACA, USENIX, and the SAGE. E-mail: email@example.com