I am Builing a j2me application which makes https connection to a Server and
i Have some questions about possible security Threats that i am going to encounter
On Widnows Mobile(5,6) Handsets (for example Htc P3450)
(1)Can someone SET/INSTALL his own ROOT Certificates???
(2)Is The following scenario feasible(in terms that it COULD be done)???
(a)A hacker (somehow) manages to install to victim's handset his custom ROOT certificate.
(b)The hacker is able to perform a man-in-the-Middle attack when the victim tries to
establish an SSL connection to my Server.Particularly gives to client a SSL server Certificate
that belongs to the compromized ROOT Certificate (case (a))
So the Operating System of the Mobile and Kvm 'think' that the server Certificate that has been given
is valid and the user 'thinks' that he is connecting to the real server.
(3)Lets suppose that my application framework is the following: My Midlet makes https connections
only to a predifined server which has a valid Verisign SSL Certificate.
(a)Is it a good idea to 'hardcode' the SSL Server Certificate on the application?
I am saying that for each https connection that the Midlet will perform the Server Certificate is examined by
my code and is 'matched' with mine.
(b)If i am goind to follow (a), then it will be feasible for my Midlet to be a victim of a
Man-in-the-Middle SSL attack, even if the hacker has managed to install his custom ROOT certificate,
given of the following facts?
-->if the hacker (that performs Man-in-the-Middle SSL attack) gives to client a compromized Server
SSL certificate , connection will FAIL because it will be different with my hardcoded Certificate.
-->if the hacker gives to client a Server SSL certificate with the same characteristics(serial,validity period, etc),
SSL connection will FAIL again because the hacker will NOT have the private key of the server certificate.
can anyone help? Thanks a lot!