×

Discussion Board

Results 1 to 2 of 2
  1. #1
    Registered User
    Join Date
    May 2007
    Posts
    6

    Trojan installation onto previous trusted Midlet suite?

    hello,

    imagine i've signed my jar and is installed with no problem. Could a malign Midlet, which claims to be part of the original Midlet Suite be installed over the trusted one? I mean, the malign midlet has no MIDlet-Jar-RSA-SHA1 property in its JAD, so according with MIDP2.0 specification:

    "When an MIDlet suite is downloaded, the device MUST check if authentication is required. If the attribute MIDlet-Jar-RSA-SHA1 is present in he application descriptor then the JAR MUST be authenticated by verifying the signer certificates and JAR signature as below.

    Application descriptors without the MIDlet-Jar-RSA-SHA1 attribute are not authenticated but are installed and invoked as untrusted MIDlet suites."

    So, could that second midlet be installed, even as an Untrusted one?
    This second one, could read the shared RMS storage of the host Midlet Suite.

    thanks.

  2. #2
    Super Contributor
    Join Date
    Apr 2003
    Location
    USA, CA
    Posts
    7,191

    Re: Trojan installation onto previous trusted Midlet suite?

    I think the asnwer is no
    There is a whole section on MIDlet updates in the MIDP spec (this excerpt is form the MIDP 2.0 spec, about page 21)

    "MIDlet Suite Update
    A MIDlet suite update is defined as the operation of installing a specific MIDlet suite when that same MIDlet
    suite (either the same version or a different version) is already installed on the device. Devices MUST support
    the updating of MIDlet suites. In order to be meaningful to the user, the device MUST allow the user to obtain
    information about the MIDlet suite(s) on the device and determine which versions of software are installed. See
    Device Identification and Request Headers. for the attributes that apply to updates.
    When a MIDlet suite update is started, the device MUST notify the user if the MIDlet suite is a newer, older, or
    the same version of an existing MIDlet suite and MUST get confirmation from the user before proceeding.
    The RMS record stores of a MIDlet suite being updated MUST be managed as follows:
    • If the cryptographic signer of the new MIDlet suite and the original MIDlet suite are identical, then the
    RMS record stores MUST be retained and made available to the new MIDlet suite.
    • If the scheme, host, and path of the URL that the new Application Descriptor is downloaded from is
    identical to the scheme, host, and path of the URL the original Application Descriptor was downloaded
    from, then the RMS MUST be retained and made available to the new MIDlet suite.
    • If the scheme, host, and path of the URL that the new MIDlet suite is downloaded from is identical to the
    scheme, host, and path of the URL the original MIDlet suite was downloaded from, then the RMS MUST
    be retained and made available to the new MIDlet suite.
    • If the above statements are false, then the device MUST ask the user whether the data from the original
    MIDlet suite should be retained and made available to the new MIDlet suite.
    In all cases, an unsigned MIDlet MUST NOT be allowed to update a signed MIDlet suite. The format, contents
    and versioning of the record stores is the responsibility of the MIDlet suite. The user-granted permissions given
    to the original MIDlet suite SHOULD also be given to the new MIDlet suite, if they are in the security domain
    of the new MIDlet suite."


    Hartti

Similar Threads

  1. Can't include png file into jar file when create MIDlet suite
    By hi_sailom in forum Mobile Java Tools & SDKs
    Replies: 7
    Last Post: 2008-08-01, 04:07
  2. Problem in midlet installation
    By vinayakak in forum Symbian
    Replies: 1
    Last Post: 2007-03-28, 05:55
  3. 'Response Unknown' when downloading midlet
    By Weevil in forum Mobile Java General
    Replies: 3
    Last Post: 2004-05-30, 17:01
  4. midlet suite
    By j2me_raj in forum Mobile Java General
    Replies: 1
    Last Post: 2003-03-14, 12:02
  5. Problem in installation of Nokia Developer's suite for MMS
    By savitaamin in forum General Messaging
    Replies: 1
    Last Post: 2002-08-30, 09:33

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×