Scmad Chapter14


Published on

Chapter 14 - Only for study purposes.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Scmad Chapter14

  1. 1. By Marcel Caraciolo Chapter 14– MIDP Security SCMAD Certification 45mm 61mm
  2. 2. Agenda <ul><li>MIDP - Security </li></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Permissions </li></ul></ul><ul><ul><li>Security-free API </li></ul></ul><ul><ul><li>Protection Domains </li></ul></ul><ul><ul><li>Application Signing </li></ul></ul><ul><ul><li>Permissions definition </li></ul></ul>
  3. 3. MIDP: Security <ul><li>MIDP has a security model based on sandbox and some operations are controlled by permissions </li></ul><ul><li>Every operation that might expose some system vulnerability (e.g. memory access, network access, private data access) is controlled by the platform. </li></ul><ul><li>The authorization mechanism is implementation-specific. When an authorization is denied, a SecurityException is thrown. </li></ul>
  4. 4. P Permissions <ul><li>Network Permissions: </li></ul><ul><li> .http </li></ul><ul><li> .https </li></ul><ul><li> .datagram </li></ul><ul><li> .datagramreceiver </li></ul><ul><li> .socket </li></ul><ul><li> .serversocket </li></ul><ul><li> .ssl </li></ul><ul><li> .comm </li></ul><ul><li> .sms </li></ul>
  5. 5. P Permissions <ul><li>WMA: </li></ul><ul><ul><li>javax.wireless.messaging.sms.send </li></ul></ul><ul><ul><li>javax.wireless.messaging.sms.receive </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Notifications: </li></ul><ul><ul><li> </li></ul></ul><ul><li>MMAPI: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  6. 6. P Permissions <ul><li>WMA: </li></ul><ul><ul><li>javax.wireless.messaging.sms.send </li></ul></ul><ul><ul><li>javax.wireless.messaging.sms.receive </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>Notifications: </li></ul><ul><ul><li> </li></ul></ul><ul><li>MMAPI: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  7. 7. P Security’s Free API <ul><li>There is no security control over the following API’s: </li></ul><ul><ul><li>MIDlet </li></ul></ul><ul><ul><li>LCDUI </li></ul></ul><ul><ul><li>MMAPI (Execution only) </li></ul></ul><ul><ul><li>RMS </li></ul></ul>
  8. 8. P Protection Domains <ul><li>Suites are installed inside protection domains, according to the vendor. Source integrity is guaranteed through digital signatures </li></ul><ul><li>Each protection domain has a set of permissions </li></ul><ul><li>When an application is not signed, it’s installed on the Untrusted domain. MIDP 1.0 application do not support digital signature, so they are always installed on the Untrusted domain </li></ul><ul><li>Inside a protection domain, each permission has an interaction mode: </li></ul><ul><ul><li>blanket: Allows access to a resource asking for it at installation time </li></ul></ul><ul><ul><li>session: Requests user permission once per session </li></ul></ul><ul><ul><li>oneshot: Requests user permission every time a resource is requested </li></ul></ul>
  9. 9. PA Application signing <ul><li>A suite may be digitally signed. First the JAR file digital signature is calculated and then both the signature and the certificate are added to the JAD file with: </li></ul><ul><ul><li>MIDlet- Certificate - <n> - <m> </li></ul></ul><ul><ul><li>MIDlet- Jar- RSA – SHA1 </li></ul></ul><ul><li>When a suite is installed, the signature is verified. If the certificate is recognized and the signature is valid, the suite is installed on one of the device’s protection domain </li></ul>
  10. 10. P Application signing <ul><li>When a JAR is signed, parameters in JAD file and in JAR manifest must match, or else the application will not be installed. If the application is not signed, they do not need to match and JAD properties have precedence over’s. </li></ul><ul><li>When a JAR is signed, an installation is only successful when all the verifications are successful (e.g. digital signing, JAD parameters, etc) </li></ul><ul><li>A signed application may never be updated with an unsigned application </li></ul>
  11. 11. P Application signing <ul><li>You can define the required permissions on the JAD file: </li></ul><ul><ul><li>MIDlet – Permission: Required permissions for this suite. If they are not available, the suite will not be installed. </li></ul></ul><ul><ul><li>MIDlet- Permission- Opt: Permissions that the device may use, but might work without, even if in a limited way (e.g. game may have multiplayer support, but may work without network access in a singleplayer mode) </li></ul></ul>
  12. 12. Future Work <ul><li>Next Chapter: </li></ul><ul><ul><li>MIDP – JTWI </li></ul></ul><ul><ul><ul><li>Java Technology for Wireless Industry </li></ul></ul></ul><ul><ul><ul><li>API’s requirements </li></ul></ul></ul><ul><ul><ul><li>Other definitions </li></ul></ul></ul>
  13. 13. References <ul><li>ALVES F. Eduardo. SCMAD Study Guide, </li></ul><ul><li>27/04/2008. </li></ul><ul><li>JAKL Andreas, Java Platform, Micro Edition Part </li></ul><ul><li>01 slides, 12/2007. </li></ul><ul><li>Sun Certification Mobile Application Developer </li></ul><ul><li>Website: []. </li></ul>