×

Discussion Board

Results 1 to 6 of 6
  1. #1
    Regular Contributor
    Join Date
    Dec 2007
    Posts
    74

    j2me Midlet Verification/Validation Problem

    Hello all,

    Lets examine the following scenario:
    I have developed a Midlet, i have digitally Signed with a CA, and i am installing it in a Handset.
    lets say that a hacker have managed to:
    (1)find the src code of my midlet
    (2)modify the code according to his needs but make it looks same with mine
    (3)remove the signed midlet from the handset, and install his malicious "clone" Midlet.

    The questions are:
    (a)How the user can know that the midlet that he is launching is signed Midlet and NOT one that it is NOT signed?
    (b)Is there another way that the user can check (Options perhaps?) that the Midlet is Digitally Signed?
    (c)Can be done this with code on a signed Midlet? Namely to show to user that the midlet that he is using is
    signed and not a malicious one OR this is NOT so secure?
    (d)For Nokia6500 and for an UNSigned Midlet when i use Options->Details i can see Name,Size,Creation Time,Version,Vendor,Certificate of the Midlet.
    Is there a way that a malicious user or program to make an UNSigned Midlet look secure?(namely to show that certificate is valid)

    Thank you very much!

    NiKolaos

  2. #2
    Nokia Developer Champion
    Join Date
    Nov 2007
    Location
    Rome, Italy
    Posts
    2,405

    Re: j2me Midlet Verification/Validation Problem

    From the problem description, what I understand is that you're talking about a possible hacker who has direct access to mobile phone.

    If this is the case, here are my considerations:

    a) once the malicious midlet is installed, the user, to check certification details, has to go into application details

    b, c) if you mean getting this data from within your application, then it's not possible, and would not be useful too: if an hacker is able to modify your code, will likely modify also the part where your application shows certification details to the user, so being able to show anything he wants

    d) if hacker signs his malicious midlet, then user will see that his midlet is signed too (but going into certificate details users could be able to see that it's not you, but another entity, to sign that midlet)

    About point 1 of your considerations, you could use a code obfuscator to reduce hacker chances to understand/modify your source code.

    Pit

  3. #3
    Regular Contributor
    Join Date
    Dec 2007
    Posts
    74

    Re: j2me Midlet Verification/Validation Problem

    jappit

    Thank you very much for your triggered answer!

    b,c)i agree with you, it is not a good idea to do this check inside the midlet.

    what do you mean about "you're talking about a possible hacker who has direct access to mobile phone..."

    As Direct access we could mean?
    1)hacker has "physical access to a handset
    2)hacker has distant access to the handset using a "trojan" Midlet or program.

    Thank you!

    NiKolaos

  4. #4
    Nokia Developer Champion
    Join Date
    Nov 2007
    Location
    Rome, Italy
    Posts
    2,405

    Re: j2me Midlet Verification/Validation Problem

    Hi NiKolaos,

    I mean physical access to the device (since you said that he should be able to uninstall your midlet and install his one). This way, he's obviously able to do what he want with the target phone.

    In the second case, so from a distant hacker, such an attack to a signed midlet would be quite difficult (if not impossible), since:
    For signed MIDlet suites, both the original and the new MIDlet suite must have the same cryptographic signer. Last but not least, the AMS will not allow an unsigned MIDlet suite to replace a signed one.
    (as stated here: http://developers.sun.com/mobility/m...ota/index.html)

    Said that, he should not be able to update your midlet with his one in any way, and creating a midlet that unistall yours is also impossible, since midlets have not this kind of rights/features.

    Pit

  5. #5
    Regular Contributor
    Join Date
    Dec 2007
    Posts
    74

    Re: j2me Midlet Verification/Validation Problem

    So,

    In case of "remote" access a hacker Will NOT be able to do something.(unless he owns the code signing Certificate, with which i signed my midlet)

    In case or "physical" access a hacker will succeed to fraud, IF the victim before launch the application does NOT check the details of his Midlet.

    am i correct?

    thanks again,

    NiKolaos

  6. #6
    Nokia Developer Champion
    Join Date
    Nov 2007
    Location
    Rome, Italy
    Posts
    2,405

    Re: j2me Midlet Verification/Validation Problem

    Afaik, yes

    Check also this related thread:

    http://discussion.forum.nokia.com/fo...d.php?t=107344

    Pit

Similar Threads

  1. Replies: 13
    Last Post: 2009-07-17, 17:13
  2. 技术文档:MIDP 2.0安全机制 与 MIDlet 数字签名
    By wotrust in forum [Archived] Other Programming Discussion 关于其他编程技术的讨论
    Replies: 0
    Last Post: 2006-12-30, 07:42
  3. N80 midlet icon problem revisited... questions
    By kounapuu in forum Mobile Java General
    Replies: 1
    Last Post: 2006-10-07, 20:15
  4. Problem in NDS 3.0 for J2ME packager and abstract MIDlet base class
    By David Mitchell in forum Mobile Java Tools & SDKs
    Replies: 0
    Last Post: 2005-09-16, 19:30
  5. Replies: 2
    Last Post: 2003-07-25, 09:48

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •