×

Discussion Board

Results 1 to 10 of 10
  1. #1
    Regular Contributor
    Join Date
    May 2008
    Location
    Switzerland - VS
    Posts
    81

    Injecting data in the installation file

    Hi,

    I have to build an application to browse some datas. Thoses data can be updated at any time, and can be updated in the application when the information has changed.

    To minimize the "first launch" of my application I would like to have my installation file updated with the last avaliable datas.

    My compagny have a application distribution plateforme that allow to download a specific jad/jar file for each phone, based on the user-agent. It's also possible to modify it to do some basic tasks (perhaps adding a file in the jar, or modify parameters in the jad...)

    What is the best solution to do it ?

    - So the download link will be the jad file. Is that possible to write in the jad, that there is two file to download ? myapplicatoin.jar and mydata.zip ?

    - Am I forced to add my data.zip file in the jar ? with something like
    jar u[v0M]f jarfile [-C dir] inputfiles [-Joption] commandline,
    and then regenerate the jad file ? is that necessary ?

    - If I want a signed application. Does the jar modification force me to sign it again ? or the signature data in the jad file are still update, even if I modify the jar file ?

    - I know there is a limitation of the jar file. If I'm able to inject my initial datas in the jar. What would be the maximum file size you advise me ?
    --

    So, I'm not realy used to distribute java software. I'll be thanksfull to every one who can help me to understand what is the best way to do it.

    Christophe

  2. #2
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Injecting data in the installation file

    The phone will download a JAD, read the JAR URL from the JAD, then download the JAR. It will not download anything else.

    You can download more data in your application, and store it on the device (using RMS). However, RMS has size limitations on some devices.

    Modifying the JAR invalidates any signature. This is the entire point of signing. The signature exists to verify that the JAR has not been altered since it was signed. If you modify the JAR, you must regenerate the signature.

    JAR size limits are specific to certain devices.

    What is the size of the application, and what is the size of the data (zipped)?

    What devices do you want to support? Specifically, what is the lowest specification Nokia Series 40 you want to support?

  3. #3
    Regular Contributor
    Join Date
    May 2008
    Location
    Switzerland - VS
    Posts
    81

    Re: Injecting data in the installation file

    Quote Originally Posted by grahamhughes View Post
    The phone will download a JAD, read the JAR URL from the JAD, then download the JAR. It will not download anything else.

    You can download more data in your application, and store it on the device (using RMS). However, RMS has size limitations on some devices.

    Modifying the JAR invalidates any signature. This is the entire point of signing. The signature exists to verify that the JAR has not been altered since it was signed. If you modify the JAR, you must regenerate the signature.
    Thanks to confirm what I though

    JAR size limits are specific to certain devices.

    What is the size of the application, and what is the size of the data (zipped)?

    What devices do you want to support? Specifically, what is the lowest specification Nokia Series 40 you want to support?
    My objective is to be compatible with the most part of the devices. For the graphical part I use j2me polish. I just saw that it was possible to know the maxjarfile of some devices in the device information on the polish site ( http://devices.j2mepolish.org/intera...eredListAnchor ). So I can see that If I can be under 128ko it will be ideal, but I don't think I can do it. I'll probably target the 300 ko If I don't have the choice about datas.

    To answer you, I want to support midp 2.0 cldc 1.1. My original data file (with images for interface,..) is approximately 100ko, and my data amount is really big, The unzipped data (only text) is bigger than 3Mo. I think I'll have to think about another solution. Eventually purpose a first launch initialization updates and ask the user if he wants to do it.

    About the signature:
    - So apparently it's just an utopian idea to tell than it's possible to keep the installation file updated with the last data at any time. Because for each download for each specific device, I have to add my data file in the jar, and sign it again. It can be a really time waster process.

    - Just for have more information about the signature. I know that the trust process can be really exhausting for j2me. Most devices are trusting Verisign or Thawte. Is that possible to sign it with the two ? Or I have to know which device must be signed with which one ?
    I already saw that there was some company who was testing/signing the applications like "Intertek NSTL". Is that a good compromise? Has someone already tested it ?

    Thanks again for your answer. I'm sorry to ask perhaps some dumb or already answered questions, but the j2me trusted world looks like a big maze without any proper and nice exit

    //reference about signtures comes from this document http://www1.j2mepolish.org/downloads...oTheGalaxy.pdf

  4. #4
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Injecting data in the installation file

    OK. 3Mb (3Mo) is a lot of data. The maximum JAR size even of most higher-end Series 40 devices is 1Mb, and as you say many are lower. This amount of data also exceeds the space permitted for RMS data on most Series 40 devices.

    This means that the only way to store this amount of data would be to use the FileConnection API, but then you will have many security issues.

    Yes, you should be able to sign with more than one certificate. One important thing to know: once an application is signed, any device that does not recognize the signature will reject the application and refuse to install it. Some devices have neither Thawte nor Verisign root certificates, and so will refuse an application signed with either (or both).

    You mention "testing/signing"... I think you are refering to Java Verified, which is an industry-standard process, handled by various testing houses including NSTL. Once an application has passed testing, it will be signed with a Java Verified certificate. This is recognized by many devices, but still not all. And, your application must pass the testing process!

    I am implying nothing with the title, but I would recommend you to this document for some excellent information on Java signing issues.

    In what countries are you planning to deploy your application?

  5. #5
    Regular Contributor
    Join Date
    May 2008
    Location
    Switzerland - VS
    Posts
    81

    Re: Injecting data in the installation file and certification

    I am implying nothing with the title, but I would recommend you to this document for some excellent information on Java
    Thank you for the link.

    About the country I don't understand why it's relevant. But the application will be distributed in Switzerland. But it's application that have been build in a tourism purposes, So, in therory, the devices that will use the application can come from many countries.

    Are the cerftificates country/branding dependant ? or only depending on the device model/type ?

  6. #6
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Injecting data in the installation file and certification

    Yes. Handsets sold in the US through AT&T and T-mobile, for example, are likely to reject any signed application, unless signed by the operator.

    I would strongly recommend that you avoid signing the application, unless it is absolutely unavoidable. Or, provide the application in both signed and unsigned versions.

    Frankly, if you want to support lower-end devices, 3Mb is too much data.

  7. #7
    Regular Contributor
    Join Date
    May 2008
    Location
    Switzerland - VS
    Posts
    81

    Re: Injecting data in the installation file

    the main reason of signing, is because I need to store data on the device. To do it I have to read/write datas. Depending on the device I have to test if the directory is available and create a folder, and then I use some bluetooth connection. Depending on some cases, I have to use a http connection.

    So it's a lot of confirmations for the user. the read/write data is the worste part of it. On some nokia devices I can count up to 15 confirmations for the user.

  8. #8
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Injecting data in the installation file

    Signing will not necessarily disable security options. In most cases, the user will need to change the application settings (in the device's application manager) manually, to disable the warnings. In some cases, signing might not disable warnings at all. It depends on the device.

    You should read as much as possible about signing, especially this, and the documents listed there under API access settings on real phones and Security Domain policies some carriers that deviate from the standard. And remember that these apply only to Nokia - there's a whole world of non-Nokia devices beyond that.

  9. #9
    Regular Contributor
    Join Date
    May 2008
    Location
    Switzerland - VS
    Posts
    81

    Re: Injecting data in the installation file

    I always have read on forums and on the web, that signing an application disable all this prompt to users, if in the jad file you specify the permissions.

    So, if I sign my application the only real change will be that he can configure (for read/write permission for example) the "always allow" option ? ... I'm a little disapointed. But I think in the prompt to the user, the option "always allow" will be prompted.

    Thanks a lot for your help and enlightments grahamhughes.

    I never thought I'll tell something like this, but : symbian c++ code signature/certification is realy easier to work with

  10. #10
    Super Contributor
    Join Date
    Jun 2003
    Location
    Cheshire, UK
    Posts
    7,395

    Re: Injecting data in the installation file

    Quote Originally Posted by Christophe.A View Post
    I always have read on forums and on the web, that signing an application disable all this prompt to users, if in the jad file you specify the permissions.
    There are many discussions about signing here on Forum Nokia, and many articles in the wiki if you want to read more. No need to take my word for it.

    I should mention that there are different kinds of signing for Java apps. Well, different levels of "trust". An application signed with, say, a Thawte, Verisign or Java Verified certificate is usually considered "trusted third party", and is granted some privilege (such as, "always allow" options being enabled). But if the application is signed by the device's manufacturer or the network operator, it has a higher level of trust, and is granted more privilege. An application signed by Nokia might be able to disable all prompts (but only on a Nokia phone). Before you get excited, manufacturer signing is usually reserved only for applications that are pre-installed in the factory. Nokia will not sign your application for you. Similarly, operator signing is often reserved for applications distributed (or pre-installed) by that operator. And again, an operator signature is only valid if the device was supplied by that operator (I think the certificate is in the SIM card).

    Quote Originally Posted by Christophe.A View Post
    So, if I sign my application the only real change will be that he can configure (for read/write permission for example) the "always allow" option ? ... I'm a little disapointed. But I think in the prompt to the user, the option "always allow" will be prompted.
    What happens will depend on the device, and sometimes on the network operator.

    For example, this page shows you the security settings for a (standard, non-operator-branded) Nokia N95, for untrusted (unsigned) apps, and for "trusted third party" apps. Check the rows for "positioning" (access to the Location API).

    Code:
                   No access    Ask always    Ask first time    Always allowed 
    Untrusted
    Positioning    yes          default       yes               -  
    
    Trusted
    Positioning    yes          yes           default           yes
    When the app is trusted, "always allow" is enabled as an option, and the default setting changes from "ask always" to "ask first time".

    Different devices have different tables like these.

    Quote Originally Posted by Christophe.A View Post
    I never thought I'll tell something like this, but : symbian c++ code signature/certification is realy easier to work with
    Signing is perhaps the single most complicated are of mobile Java. If you're confused by it, join the club!!

    Graham.

Similar Threads

  1. puting a png image with other image data in the file
    By TacB0sS in forum Mobile Java General
    Replies: 17
    Last Post: 2009-12-07, 11:03
  2. Regarding BMCONV
    By sanah007 in forum Symbian
    Replies: 2
    Last Post: 2009-05-26, 12:47
  3. Problem with pyobfuscate
    By JOM in forum Symbian
    Replies: 3
    Last Post: 2008-06-20, 22:47
  4. Porting C Open source.
    By debasish1234 in forum Open C/C++
    Replies: 7
    Last Post: 2008-01-28, 11:06
  5. Contacts fields order??
    By timatima in forum Symbian
    Replies: 1
    Last Post: 2007-06-08, 13:51

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×