A host computer processes, produces, and stores all the information for mobile commerce applications. This component is similar to that used in an electronic commerce system because the host computers are usually not aware of differences among the targets, browsers, or microbrowsers they serve. It is the application programs that are responsible for apprehending their clients and responding to them accordingly . Most of the mobile commerce application programs reside in this component, except for some client-side programs such as cookies. This component contains three major components : a Web server, a database server, and application programs and support software.

Web servers

A Web server is a server-side application program that runs on a host computer and manages the Web pages stored on the Web site's database. There are many Web server software applications, including public domain software from NCSA and Apache and commercial packages from Microsoft, Netscape, and others. Since April 1996, Apache has been the most popular HTTP server on the Internet; in May 1999, it was running on 57% of all Web servers. It was developed in early 1995 based on code and ideas found in the most popular HTTP server of the time, NCSA httpd 1.3. It has since evolved to rival (and probably surpass) almost any other Unix-based HTTP server in terms of functionality and speed. It features highly configurable error messages, DBM-based authentication databases, and content negotiation.

Database servers

A database server manages database access functions, such as locating the actual record being requested or updating the data in databases. Some popular databases are Oracle9 i , Microsoft Access, and IBM DB2. Other than the server-side database servers, a growing trend is to provide a mobile database or an embedded database to a handheld device with a wide range of dataprocessing functionality. The functionality is frequently very sophisticated, and the flat file system that comes with these devices may not be able to adequately handle and manipulate data. Embedded databases have very small footprints and must be able to run without the services of a database administrator and accommodate the low-bandwidth constraints of a wireless-handheld network. Some leading embedded databases are Progress Software databases, Sybase's Anywhere products, and Ardent Software's DataStage (Ortiz, 2000).

Application programs and support software

Web and database servers are mandatory for mobile commerce systems; application programs handle all server-side processing. However, to facilitate mobile commerce applications, some other support software is needed. For example, various programming languages, including Perl, Java, Visual Basic, C/C++, etc., and the CGI (Common Gateway Interface) are necessary to transfer information between a Web server and a CGI script are necessary.


Mobile security and payment are crucial issues for mobile commerce. Without secure commercial information exchange and safe electronic financial transactions over mobile networks, neither service providers nor potential customers will trust mobile commerce systems. From a technical point of view, mobile commerce over wireless networks is inherently insecure compared to electronic commerce over wired networks. The reasons are as follows :

  • Reliability and integrity: Interference and fading make the wireless channel error prone. Frequent handoffs and disconnections degrade the security services.

  • Confidentiality/Privacy: The broadcast nature of the radio channel makes it easier to tap. Thus, communication can be intercepted and interpreted without difficulty if no security mechanisms such as cryptographic encryption are employed.

  • Identification and authentication: The mobility of wireless devices introduces an additional difficulty in identifying and authenticating mobile terminals.

  • Capability: Wireless devices usually have limited computation capability, memory size , communication bandwidth, and battery power. This will make it difficult to utilize high-level security schemes such as 256-bit encryption.

Mobile Security

Security issues span the whole mobile commerce system, from one end to the other, from the top to the bottom network protocol stack, from machines to humans . We will focus only on issues exclusively related to mobile/wireless technologies. Lacking a unified wireless security standard, different wireless technologies support different aspects and levels of security features. We will thus discuss some well-known security issues (Tanenbaum, 2002) in WAP, GSM, Wi-Fi, and Bluetooth.

WAP security

In WAP, security is provided through Wireless Transport Layer Security (WTLS) protocol (in WAP 1.0) and IETF standard Transport Layer Security (TLS) protocol (in WAP 2.0). They provide data integrity, privacy, and authentication. The feature of data integrity ensures that the content of messages is not altered during transmission. Privacy makes sure that only the intended recipients can read the original content. Authentication verifies the identities of communication participants . One security problem, known as the "WAP gap", is caused by the existence of a WAP gateway in a security session. That is, encrypted messages sent by end systems might temporarily become clear text on a WAP gateway when messages are processed . One solution is to make the WAP gateway resident within the enterprise (server) network (Ashley, Hinton, & Vandenwauver, 2001), where heavyweight security mechanisms can be enforced.

GSM security

The Subscriber Identity Module (SIM) in GSM contains the subscriber's authentication information, such as cryptographic keys and personal identification numbers (PINs). It is usually implemented as a smart card consisting of microprocessors and memory chips. In GSM, short messages are stored in the SIM, and calls are directed to the SIM rather than the mobile terminal. This feature allows GSM subscribers to share a terminal with different SIM cards.

Wi-Fi security

The security of the IEEE 802.11 WLAN standard is provided by a data link-level protocol called Wired Equivalent Privacy (WEP). When it is enabled, each mobile host has a secret key that is shared with the base station. The encryption algorithm used in WEP is a stream cipher based on RC4. The ciphertext is generated by XORing the plaintext with a RC4-generated keystream . However, methods for breaking this approach have already been published (Borisov, Goldberg, & Wagner, 2001; Fluhrer, Martin, & Shamir, 2001; Stubblefield, Ioannidis, & Rubin, 2002). The next version, 802.11i, is expected to have better security.

Bluetooth security

Bluetooth provides security by using frequency hopping in the physical layer, sharing secret keys (called passkeys) between the slave and the master, encrypting communication channels, and controlling integrity. Its encryption uses a stream cipher called "E "; integrity control uses "SAFER+". Unfortunately, "E " has potential weaknesses as described in Jakobsson and Wetzel (2001) and Biryukov, Shamir, and Wagner (2000), and "SAFER+" is slower than the other similar symmetric-key block ciphers.

Mobile Payment

Developed by Visa International and MasterCard International, the Secure Electronic Transaction protocol (SET; is likely to become the global standard in the domain of electronic commerce over the Internet. It is a technical standard designed to provide security for payment transactions among cardholders, merchants , payment gateways, and certification authorities in wired networks. The SET mechanism is complex and thus is mostly used in desktop computers and servers. In a mobile commerce system, a WAP client device normally does not have sufficient processing and memory capability to utilize SET software. A "thin" SET wallet approach (Jin, Ren, Feng, & Hua et al., 2002) has thus been proposed to adapt the SET protocol for WAP clients .

Under the "thin" SET wallet model, most of the functionality of current "fat" SET wallets is moved to the wallet server. To support a SET payment, a WAP client installed with only a "thin" wallet securely connects with a wallet server, which communicates with other SET entities. When SET purchase requests arrive from the "thin" wallet, the wallet server takes over the responsibility of routing requests and managing digital keys and certificates.

Wireless cellular system operators have an advantage as they become primary mobile payment system providers because their existing service infrastructures already contain mature subscriber authentication and billing sub-systems such as SIM. They can thus act as middlemen, charging an extra service fee, when transactions between merchants and users take place using their network systems. The i-mode model is one of this type.

Another approach is referred to as the "dual-chip" solution. It uses a Wireless Identity Module (WIM) card holding cryptographic keys as a second authentication module for the WAP security service. WIM can be a part of a SIM smart card issued by a cellular system operator or it can be provided by a third party, such as a bank or a financial institution. Motorola's Star Tac Dual Slot handset is capable of reading a third-party WIM card.Current mobile payment standardization has mainly been developed by several organizations, as follows:

  • Mobey Forum ( Founded by a number of financial institutions and mobile terminal manufacturers, Mobey Forum's mission is to encourage the use of mobile technology in financial services.

  • Mobile Payment Forum ( Sponsored by credit card companies, including American Express, MasterCard International, and Visa International, the Mobile Payment Forum is dedicated to developing a framework for standardized, secure, and authenticated mobile commerce using payment card accounts.

  • Mobile electronic Transactions Ltd. (MeT; Sponsored by key handset manufacturers such as Ericsson, NEC, Nokia, Panasonic, Siemens, and Sony Ericsson, MeT's objective is to ensure interoperability of mobile transaction solutions. Its work is based on existing specifications and standards, including WAP.