Your SlideShare is downloading. ×
Scmad Chapter14
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Scmad Chapter14

1,100
views

Published on

Chapter 14 - Only for study purposes.

Chapter 14 - Only for study purposes.

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,100
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. By Marcel Caraciolo http://mobideia.blogspot.com Chapter 14– MIDP Security SCMAD Certification 45mm 61mm
  • 2. Agenda
    • MIDP - Security
      • Security
      • Permissions
      • Security-free API
      • Protection Domains
      • Application Signing
      • Permissions definition
  • 3. MIDP: Security
    • MIDP has a security model based on sandbox and some operations are controlled by permissions
    • Every operation that might expose some system vulnerability (e.g. memory access, network access, private data access) is controlled by the platform.
    • The authorization mechanism is implementation-specific. When an authorization is denied, a SecurityException is thrown.
  • 4. P Permissions
    • Network Permissions:
    • javax.microedition.io.Connector .http
    • javax.microedition.io.Connector .https
    • javax.microedition.io.Connector .datagram
    • javax.microedition.io.Connector .datagramreceiver
    • javax.microedition.io.Connector .socket
    • javax.microedition.io.Connector .serversocket
    • javax.microedition.io.Connector .ssl
    • javax.microedition.io.Connector .comm
    • javax.microedition.io.Connector .sms
  • 5. P Permissions
    • WMA:
      • javax.wireless.messaging.sms.send
      • javax.wireless.messaging.sms.receive
      • javax.wireless.messaging.cbs.receive
    • Notifications:
      • javax.microedition.io.PushRegistry
    • MMAPI:
      • javax.microedition.media.RecordControl.startRecord
      • javax.microedition.media.RecordControl.getSnapshot
  • 6. P Permissions
    • WMA:
      • javax.wireless.messaging.sms.send
      • javax.wireless.messaging.sms.receive
      • javax.wireless.messaging.cbs.receive
    • Notifications:
      • javax.microedition.io.PushRegistry
    • MMAPI:
      • javax.microedition.media.RecordControl.startRecord
      • javax.microedition.media.RecordControl.getSnapshot
  • 7. P Security’s Free API
    • There is no security control over the following API’s:
      • MIDlet
      • LCDUI
      • MMAPI (Execution only)
      • RMS
  • 8. P Protection Domains
    • Suites are installed inside protection domains, according to the vendor. Source integrity is guaranteed through digital signatures
    • Each protection domain has a set of permissions
    • When an application is not signed, it’s installed on the Untrusted domain. MIDP 1.0 application do not support digital signature, so they are always installed on the Untrusted domain
    • Inside a protection domain, each permission has an interaction mode:
      • blanket: Allows access to a resource asking for it at installation time
      • session: Requests user permission once per session
      • oneshot: Requests user permission every time a resource is requested
  • 9. PA Application signing
    • A suite may be digitally signed. First the JAR file digital signature is calculated and then both the signature and the certificate are added to the JAD file with:
      • MIDlet- Certificate - <n> - <m>
      • MIDlet- Jar- RSA – SHA1
    • When a suite is installed, the signature is verified. If the certificate is recognized and the signature is valid, the suite is installed on one of the device’s protection domain
  • 10. P Application signing
    • When a JAR is signed, parameters in JAD file and in JAR manifest must match, or else the application will not be installed. If the application is not signed, they do not need to match and JAD properties have precedence over Manifest.mf’s.
    • When a JAR is signed, an installation is only successful when all the verifications are successful (e.g. digital signing, JAD parameters, etc)
    • A signed application may never be updated with an unsigned application
  • 11. P Application signing
    • You can define the required permissions on the JAD file:
      • MIDlet – Permission: Required permissions for this suite. If they are not available, the suite will not be installed.
      • MIDlet- Permission- Opt: Permissions that the device may use, but might work without, even if in a limited way (e.g. game may have multiplayer support, but may work without network access in a singleplayer mode)
  • 12. Future Work
    • Next Chapter:
      • MIDP – JTWI
        • Java Technology for Wireless Industry
        • API’s requirements
        • Other definitions
  • 13. References
    • ALVES F. Eduardo. SCMAD Study Guide,
    • 27/04/2008.
    • JAKL Andreas, Java Platform, Micro Edition Part
    • 01 slides, 12/2007.
    • Sun Certification Mobile Application Developer
    • Website: [http://www.sun.com/training/certification/java/scmad.xml].