Mobile Game Developer

[menis]

Hello all,

Lets examine the following scenario:
I have developed a Midlet, i have digitally Signed with a CA, and i am installing it in a Handset.
lets say that a hacker have managed to:
(1)find the src code of my midlet
(2)modify the code according to his needs but make it looks same with mine
(3)remove the signed midlet from the handset, and install his malicious "clone" Midlet.

The questions are:
(a)How the user can know that the midlet that he is launching is signed Midlet and NOT one that it is NOT signed?
(b)Is there another way that the user can check (Options perhaps?) that the Midlet is Digitally Signed?
(c)Can be done this with code on a signed Midlet? Namely to show to user that the midlet that he is using is
signed and not a malicious one OR this is NOT so secure?
(d)For Nokia6500 and for an UNSigned Midlet when i use Options->Details i can see Name,Size,Creation Time,Version,Vendor,Certificate of the Midlet.
Is there a way that a malicious user or program to make an UNSigned Midlet look secure?(namely to show that certificate is valid)

Thank you very much!

NiKolaos

[DevelopmentTeam]

Hello all,

Lets examine the following scenario:
I have developed a Midlet, i have digitally Signed with a CA, and i am installing it in a Handset.
lets say that a hacker have managed to:
(1)find the src code of my midlet
(2)modify the code according to his needs but make it looks same with mine
(3)remove the signed midlet from the handset, and install his malicious "clone" Midlet.

The questions are:
(a)How the user can know that the midlet that he is launching is signed Midlet and NOT one that it is NOT signed?
(b)Is there another way that the user can check (Options perhaps?) that the Midlet is Digitally Signed?
(c)Can be done this with code on a signed Midlet? Namely to show to user that the midlet that he is using is
signed and not a malicious one OR this is NOT so secure?
(d)For Nokia6500 and for an UNSigned Midlet when i use Options->Details i can see Name,Size,Creation Time,Version,Vendor,Certificate of the Midlet.
Is there a way that a malicious user or program to make an UNSigned Midlet look secure?(namely to show that certificate is valid)

Thank you very much!

NiKolaos

a) & b) The user has to check the application manager to see if the application is signed or not. You can check the Domain category which will show you "Untrusted third-party" and if the application is signed you will see "Trusted third-party"
c) I have not tried this before. But I have an idea which is just a guess and not sure will work in your case. We have checkPermission() function in the midlet class with which you can check any API's permission. For example, say you are signing the midlet with API permission for JSR-75 and if you check the API permission before signing the reply would be -1 which means unknown and if you check the API permission after signing, the reply might be 1. This will work only if you add any midlet permission entry in your verification process.
d) Till date, I dont think anyone has done some hack to make a unsigned application to show as trusted. But this is a question more relevant to the manufacturer and I dont think I can answer this.