j2me Midlet Verification/Validation Problem

Forum for discussion on Game porting for mobile phones and j2me supported devices including device information.

j2me Midlet Verification/Validation Problem

Postby menis » Mon Jun 16, 2008 11:52 am

Hello all,

Lets examine the following scenario:
I have developed a Midlet, i have digitally Signed with a CA, and i am installing it in a Handset.
lets say that a hacker have managed to:
(1)find the src code of my midlet
(2)modify the code according to his needs but make it looks same with mine
(3)remove the signed midlet from the handset, and install his malicious "clone" Midlet.

The questions are:
(a)How the user can know that the midlet that he is launching is signed Midlet and NOT one that it is NOT signed?
(b)Is there another way that the user can check (Options perhaps?) that the Midlet is Digitally Signed?
(c)Can be done this with code on a signed Midlet? Namely to show to user that the midlet that he is using is
signed and not a malicious one OR this is NOT so secure?
(d)For Nokia6500 and for an UNSigned Midlet when i use Options->Details i can see Name,Size,Creation Time,Version,Vendor,Certificate of the Midlet.
Is there a way that a malicious user or program to make an UNSigned Midlet look secure?(namely to show that certificate is valid)

Thank you very much!

NiKolaos
menis
 
Posts: 12
Joined: Sun Nov 25, 2007 6:11 pm

Re: j2me Midlet Verification/Validation Problem

Postby DevelopmentTeam » Tue Jun 17, 2008 5:15 am

menis wrote:Hello all,

Lets examine the following scenario:
I have developed a Midlet, i have digitally Signed with a CA, and i am installing it in a Handset.
lets say that a hacker have managed to:
(1)find the src code of my midlet
(2)modify the code according to his needs but make it looks same with mine
(3)remove the signed midlet from the handset, and install his malicious "clone" Midlet.

The questions are:
(a)How the user can know that the midlet that he is launching is signed Midlet and NOT one that it is NOT signed?
(b)Is there another way that the user can check (Options perhaps?) that the Midlet is Digitally Signed?
(c)Can be done this with code on a signed Midlet? Namely to show to user that the midlet that he is using is
signed and not a malicious one OR this is NOT so secure?
(d)For Nokia6500 and for an UNSigned Midlet when i use Options->Details i can see Name,Size,Creation Time,Version,Vendor,Certificate of the Midlet.
Is there a way that a malicious user or program to make an UNSigned Midlet look secure?(namely to show that certificate is valid)

Thank you very much!

NiKolaos


a) & b) The user has to check the application manager to see if the application is signed or not. You can check the Domain category which will show you "Untrusted third-party" and if the application is signed you will see "Trusted third-party"
c) I have not tried this before. But I have an idea which is just a guess and not sure will work in your case. We have checkPermission() function in the midlet class with which you can check any API's permission. For example, say you are signing the midlet with API permission for JSR-75 and if you check the API permission before signing the reply would be -1 which means unknown and if you check the API permission after signing, the reply might be 1. This will work only if you add any midlet permission entry in your verification process.
d) Till date, I dont think anyone has done some hack to make a unsigned application to show as trusted. But this is a question more relevant to the manufacturer and I dont think I can answer this. ;)
User avatar
DevelopmentTeam
Site Admin
 
Posts: 661
Joined: Tue Aug 15, 2006 8:39 am
Location: India


Return to Mobile Game Porting and Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron