Hi to everybody. I must develop a payment application on Symbian, and it is very important to know if this system has any failures or bugs in terms of security. For instance, is it possible that third parties get to know your credit card number when you purchase on the net?
Has anybody a great knowledge of security on Symbian?
Thanks on advance!!!
In terms of data transmission alone, WAP has a semi-secure version of SSL. That is, you can open a secure WAP connection and transmit POST or GET requests. However, the data is decrypted on the gateway and then re-encrypted using HTTPS before it makes its way to the destination web server. There is a small security risk should the gateway be compromised. You can specify your own wap gateway but then you would have problems with access points on the phone. This is why many banks offering WAP access do not allow it over public (carrier) wap gateways and force you to use their own dial-in number.
You can implement your own end-to-end security if you wish. I'm not sure if there are any primitives built into Symbian 6.1 that would help with this. There is a Cipher example in 6.1 but I haven't looked at it.
Databases can be encrypted on Symbian and opened with a key. I'm not sure if this encrypts the whole database or stops the API from opening a database if the key is not authenticated. You should probably encrypt anything sensitive that you store on the phone.
A symbian phone can also be compromised by trojan-type programmes such as key loggers. I doubt that any exist yet.