WAS

Web Application Security

Security
Introduced in Rel-14
A 3GPP work item and set of specifications focused on identifying, analyzing, and providing security solutions for threats specific to web-based applications and services in mobile networks. It addresses vulnerabilities arising from the integration of web technologies (HTML5, JavaScript) with telecom network capabilities exposed via APIs.

Description

Web Application Security (WAS) in 3GPP refers to the systematic study and standardization of security mechanisms for web applications that interact with or are hosted within mobile network operator environments. This work is critical as network functions and service capabilities are increasingly exposed as web-friendly APIs (e.g., RESTful APIs using HTTP/JSON), and applications themselves are built using standard web technologies. The WAS work item analyzes the threat model for such applications, which includes classic web vulnerabilities (like Cross-Site Scripting - XSS, Cross-Site Request Forgery - CSRF, injection attacks) as well as telecom-specific threats arising from access to sensitive network APIs (e.g., location, subscriber data).

The architectural focus of WAS is on securing the interfaces between web applications and the network exposure functions, such as the Network Exposure Function (NEF) in 5G or the Service Capability Exposure Function (SCEF) in 4G. It defines security requirements and guidelines for API gateways, authentication, authorization, and input validation. A key aspect is ensuring that web applications, which may be developed by third parties, cannot misuse exposed network capabilities or access data beyond their permissions. This involves defining secure coding practices, runtime protection mechanisms, and security testing methodologies tailored for web applications consuming 3GPP network APIs.

How it works involves several layers. At the protocol level, it mandates the use of TLS for all API communications. At the application layer, it specifies the use of robust authentication frameworks like OAuth 2.0 for delegated authorization, ensuring the web app acts on behalf of a user with explicit consent. It also provides guidelines for implementing proper access control checks at the API gateway/NF, validating and sanitizing all input parameters from the web app to prevent injection attacks, and securely managing API keys and tokens. The WAS specifications provide detailed analysis of attack vectors and prescribe countermeasures to be implemented by both the API provider (network operator) and the API consumer (application developer).

Purpose & Motivation

WAS was introduced to address the new security challenges created by the paradigm shift towards open network exposure and web-based service delivery in mobile networks, particularly with the advent of 4G and 5G. Traditional telecom security focused on protecting the closed, signaling-based core network (e.g., using MAPsec, Diameter security). However, as operators began to expose network capabilities (like quality of service, location, authentication) via HTTP-based APIs to foster innovation and new service ecosystems, these interfaces became susceptible to a whole new class of web-based attacks that were previously irrelevant to telecom.

The primary problem WAS solves is bridging the gap between web security best practices and telecom network security. Without such standardization, inconsistent or weak security implementations by different operators or application developers could lead to severe breaches, such as mass location tracking, subscriber impersonation, or network resource exhaustion. The motivation for its creation in Rel-14 was the growing deployment of Network Exposure Functions and the need for a consistent, robust security baseline to protect both operator assets and subscriber privacy in this open environment.

It addresses limitations of previous approaches where security for value-added services was often handled on a per-service or proprietary basis, lacking a comprehensive, threat-model-driven framework. WAS provides a standardized, systematic methodology for identifying threats (through threat analysis reports) and specifying normative security requirements in relevant architecture and protocol specifications (e.g., for the NEF, CAPIF), ensuring security is built into the design of exposure frameworks from the start.

Key Features

  • Threat analysis and risk assessment specific to web applications using 3GPP network APIs
  • Security requirements for Network Exposure Function (NEF) and Common API Framework (CAPIF) interfaces
  • Guidelines for implementing OAuth 2.0 and OpenID Connect for secure API authorization
  • Specifications for input validation, output encoding, and mitigation of common web vulnerabilities (XSS, CSRF, injection)
  • Recommendations for secure session management and token handling in web apps
  • Security testing and assurance guidance for web applications in telecom environments

Evolution Across Releases

Rel-14 Initial

Introduced the WAS work item with a primary focus on threat analysis. Initial specifications provided a comprehensive threat model for web applications accessing network APIs, identifying key attack vectors like API abuse, insecure direct object references, and insufficient authorization. It laid the foundation by documenting security objectives and high-level requirements for subsequent normative work.

TS 28.879TS 33.117TS 37.890TS 38.805TS 38.807TS 38.889
Rel-16

Evolved from analysis to normative specification. Integrated detailed security requirements into the architecture specifications for the 5G Common API Framework (CAPIF) and enhanced the security provisions for the NEF. This included specifying mandatory use of TLS 1.2+, requirements for OAuth 2.0 token-based authorization with precise scope definitions, and guidelines for audit logging of API access.

TS 28.879TS 33.117TS 37.890TS 38.805TS 38.807TS 38.889
Rel-17

Enhanced the security framework with more granular controls and expanded scope. Introduced requirements for mutual authentication between API exposing functions and API invokers, detailed guidance on securing API aggregators, and deeper integration with 5G network authentication (e.g., leveraging 5G-AKA). Addressed security for edge computing scenarios where web applications run closer to the user.

TS 28.879TS 33.117TS 37.890TS 38.805TS 38.807TS 38.889
Rel-18

Further refined security mechanisms based on implementation experience. Focused on automation of security assurance, potentially exploring integration with software-defined security and lifecycle management for API security policies. Addressed emerging threats related to AI-based attacks and enhanced privacy protections in API data exchanges.

TS 28.879TS 33.117TS 37.890TS 38.805TS 38.807TS 38.889

Defining Specifications

SpecificationTitle
TS 28.879 3GPP TS 28.879
TS 33.117 3GPP TR 33.117
TS 37.890 3GPP TR 37.890
TS 38.805 3GPP TR 38.805
TS 38.807 3GPP TR 38.807
TS 38.889 3GPP TR 38.889