J2ME security options

The first applications that have come out using the J2ME protocol are those games you can play on the little mobile phones. But how long do you think it will be before J2ME shows up in business applications? And when it does, it has to show up with some security, or else you're just asking for trouble if you implement those apps in your organization. This tip, which is excerpted from InformIT, discusses the security options available for J2ME.

When most developers speak of J2ME, they are usually referring to the Mobile Information Device Profile, or MIDP, as it is commonly referred to. J2ME MIDP is a profile based on the Connected Limited Device Configuration (CLDC), and both were discussed at length in other articles for InformIT.

The MID Profile defines a set of APIs and system capabilities that matches commonly used mobile devices such as PDAs, pagers, and mobile phones (thus its popularity, thanks to the worldwide explosion of these types of devices). Java developers who have built MIDP applications are well aware of its current limitations, including the lack of floating-point number support, HTTP-only communications, and the limited UI components. Although no security API is currently included in the MID Profile, a great deal of progress has been made by several companies in order to bring basic encryption to J2ME MIDP. Developers at Sun have created KSSL, a "small-footprint, client-side-only implementation of SSL v3.0 for handheld and wireless devices." KSSL includes a number of optimizations that reflect the reality of development on processor/memory-constrained devices running on low-bandwidth networks. Sun testing of KSSL over using a PDA over a CDPD network placed times for a completed SSL handshake over the network at less than 10 seconds, certainly acceptable for most applications. This flies in the face of conventional...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Wireless security RIM announces overhauled Enterprise Server New products, standards help boost wireless security Safe computing in public hot spots Wireless security and privacy: Best practices and design techniques Don't be fooled by the Java sandbox Nonpareils of mobile security info: Intel's Wireless Security Resource Center Symbol upgrades to meet new Visa security standards Centralized PDA virus protection released WEP vulnerabilities -- wired equivalent privacy? Mobile Security Mobile security threats Two-factor authentication: Mobile security at your fingertips Securing your Windows Mobile devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Is malware coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device Mobile Device Security Fingerprint recognition and mobile security Traditional security threats coming soon to mobile device near you Securing your Windows Mobile devices Mobile security: Protecting your data, not just your devices Prevent mobile malware: Learn how to protect your enterprise and devices Podcast: The truth about network security and mobile device access Protecting data on your BlackBerry Going green: Recycling and energy saving tips for mobile devices -- podcast New challenges in mobile device discovery Quiz: Mobile Device Security -- Who else can hear me now? Mobile Device Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary mobile VPN  (SearchMobileComputing.com) real-time location system (RTLS)  (SearchMobileComputing.com) screaming cell phone  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

wisdom that said mobile devices' CPU/memory limitations prevented advanced encryption techniques on PDAs or mobile phones. The Phaos Micro Foundation toolkit was built for both the CDC and CLDC environments and is a 100% pure Java solution. Finally, the free Bouncy Castle crypto APIs (download includes the source code) run on everything from JDK 1.4 down to J2ME, although performance is reportedly a problem at the J2ME level.

The Connected Device Configuration (CDC) was defined for more capable (that is, more memory, better display, and so on) devices such as set-top boxes and gaming systems. The Foundation Profile (and its child, the new Personal Profile) has been defined for the CDC, and it goes quite a way beyond the capabilities of the MID Profile. Foundation Profile APIs include many of those in Java 2 Standard Edition, including java.io, java.net, java.text, and java.lang. Of interest to our security discussion are the APIs defined within the java.security package, including the following subpackages: java.security.acl, java.security.cert, java.security.interface, and java.security.spec, the combination of which allows an application to provide RSA/DSA encryption for public key infrastructure (PKI)/certificate-based security.

Because it was designed to be run on devices with respectable processor speed and memory configurations, the CDC JVM is required to support the same feature set as a Java 2 Standard Edition (J2SE) JVM, meaning that advanced Java concepts such as the Java Native Interface (JNI) for calling C-language libraries is also supported. Because of these included APIs and advanced features that go well beyond the CLDC, applications targeted for CDC devices should face no security restrictions.

To read the entire tip from which this tip comes, click over to InformIT. You don't have to register there, give your email address, or anything but get the info you need.