imagine i've signed my jar and is installed with no problem. Could a malign Midlet, which claims to be part of the original Midlet Suite be installed over the trusted one? I mean, the malign midlet has no MIDlet-Jar-RSA-SHA1 property in its JAD, so according with MIDP2.0 specification:
"When an MIDlet suite is downloaded, the device MUST check if authentication is required. If the attribute MIDlet-Jar-RSA-SHA1 is present in he application descriptor then the JAR MUST be authenticated by verifying the signer certificates and JAR signature as below.
Application descriptors without the MIDlet-Jar-RSA-SHA1 attribute are not authenticated but are installed and invoked as untrusted MIDlet suites."
So, could that second midlet be installed, even as an Untrusted one?
This second one, could read the shared RMS storage of the host Midlet Suite.