Wireless network access facilities, such as Wi-Fi networks and the like, are provided in public and private locations to deliver network connectivity services to mobile devices present or passing through a location. A wireless access point is a device or suite of devices for providing mobile devices with a mechanism for connecting to a network, such as a wired network, using Wi-Fi or similar standards. An access point can be connected to, or an integral part of, another network device such as a network switch or router. For example, access points can be implemented in accordance with the IEEE 802.11 standards which detail media access control and physical layer specifications for implementing wireless local area network.
Wireless access to a network via an access point has special security considerations. The security of many wired networks is based on physical access control such that devices physically connected to a network enjoy an increased level of trust since physical access to the network can be controlled. In contrast, wireless access points offer network access transcending physical access control measures and conceivably anybody within range of an access point can seek to attach to a network. Furthermore, network traffic communicated between a connecting device and a wireless network access point is susceptible to interception due to the wireless nature of communication, such as network communication transmitted by radio frequency signal.
Accordingly, mobile device users are encouraged to exercise caution when connecting to wireless access points depending upon the nature of their use of a network. Sensitive and/or private network traffic, such as internet banking details, are preferably communicated via an encrypted network connection. In contrast, other applications, such as web browsing, may suitably employ communications via unprotected network connections. Increasingly, users are able to select from a list of multiple available and accessible wireless access points at a particular location, especially in busy, built-up, commercial, retail or industrial centers. Users may make access point selection from a set of access points based on wireless access point capability information provided by their mobile device, though many mobile devices fail to clearly indicate such capability information for users.
Capabilities of access points can vary considerably. Access points may provide no encryption or interception detection at all, in which case all traffic between the access point and the network is open to interception, disclosure to third parties, modification and spoofing. Where security measures are provided, the extent and effectiveness of such measures can vary. Wired Equivalent Privacy (WEP) security is a security facility employed by early wireless networks based on a shared secret and cyclic redundancy checks. The WEP security standard is widely acknowledged to provide a relatively low-level of security that is susceptible to attack due to inherent security weaknesses. Wi-Fi Protected Access (WPA) is a stronger standard of security for wireless communication and can employ a temporal key integrity protocol (TKIP) including dynamically generated 128-bit per-packet keys with message integrity checking superior to cyclic redundancy checks. Yet higher levels of security are provided by Wi-Fi Protected Access 2 (WPA2) which employs a counter mode cipher block chaining authentication protocol (CCM mode protocol, or CCMP) conforming to an Advanced Encryption Standard (AES) specified by the U.S. National Institute of Standards and Technology (NIST). Other existing or contemplated security facilities may also be applied for wireless access points.
It is known to select an access point for a mobile device from a set of available access points on the basis of rules or policies of the mobile device. For example, US patent publication US 20120076117 describes a method for discovering and selecting a wireless network access point based on retrieved capabilities of access points compared to capability requirements. Typically such rules apply preferences to favor more proximate or higher performing (in terms of data rate) access points. Conceivably such rules can also favor access points on the basis of supported security facilities (standards of encryption and the like). Such rules lead to a trade-off for a device: either high security access points are favored at the expense of network performance with the consequence that low-security high-performance access points are not used; or performance is favored at the expense of security with the consequence that a mobile device is vulnerable to attack or is not applied across its full breadth of function due to potentially insecure network communication. Thus it would be advantageous to provide improved access point selection without the aforementioned disadvantages.