j2me on Windows Mobile, possible Threats based on ROOT Certi

Forum for J2ME mobile games related topics including programming doubts, books and other resources for J2ME game development

j2me on Windows Mobile, possible Threats based on ROOT Certi

Postby menis » Sun Nov 23, 2008 7:38 pm

I am Builing a j2me application which makes https connection to a Server and
i Have some questions about possible security Threats that i am going to encounter
On Widnows Mobile(5,6) Handsets (for example Htc P3450)

(1)Can someone SET/INSTALL his own ROOT Certificates???
(2)Is The following scenario feasible(in terms that it COULD be done)???
(a)A hacker (somehow) manages to install to victim's handset his custom ROOT certificate.
(b)The hacker is able to perform a man-in-the-Middle attack when the victim tries to
establish an SSL connection to my Server.Particularly gives to client a SSL server Certificate
that belongs to the compromized ROOT Certificate (case (a))
[Victim]--->[Man-in-the-Middle]--->[Myserver]
So the Operating System of the Mobile and Kvm 'think' that the server Certificate that has been given
is valid and the user 'thinks' that he is connecting to the real server.
(3)Lets suppose that my application framework is the following: My Midlet makes https connections
only to a predifined server which has a valid Verisign SSL Certificate.
(a)Is it a good idea to 'hardcode' the SSL Server Certificate on the application?
I am saying that for each https connection that the Midlet will perform the Server Certificate is examined by
my code and is 'matched' with mine.
(b)If i am goind to follow (a), then it will be feasible for my Midlet to be a victim of a
Man-in-the-Middle SSL attack, even if the hacker has managed to install his custom ROOT certificate,
given of the following facts?
-->if the hacker (that performs Man-in-the-Middle SSL attack) gives to client a compromized Server
SSL certificate , connection will FAIL because it will be different with my hardcoded Certificate.
-->if the hacker gives to client a Server SSL certificate with the same characteristics(serial,validity period, etc),
SSL connection will FAIL again because the hacker will NOT have the private key of the server certificate.

can anyone help? Thanks a lot!

NiKolaos
menis
 
Posts: 12
Joined: Sun Nov 25, 2007 6:11 pm

Re: j2me on Windows Mobile, possible Threats based on ROOT Certi

Postby DevelopmentTeam » Fri Nov 28, 2008 8:36 am

This forum is completely on Devices that support J2ME in their operating system. Though Windows mobile support J2ME, it is much different from other common Java based devices. This question may be relevant to any other forum that deals with Windows mobile. :)
User avatar
DevelopmentTeam
Site Admin
 
Posts: 661
Joined: Tue Aug 15, 2006 8:39 am
Location: India


Return to J2ME Games

Who is online

Users browsing this forum: No registered users and 3 guests

cron