Don't be fooled by the Java sandbox

A look at how to make sure you have secured your Java mobile applications.

With new technologies, security is a key issue that is always brought up in conversations. But quite often we fail to see the big picture. For example, with Java applications (MIDlets as they are called), the usual answer to the question about security is "Yes it is secure, it's the Java sandbox thing." The typical attitude forgets the big picture and fails to see other quite-obvious possibilities. Author Mikko Kontio takes a look at...

some overlooked wireless security issues in this article from InformIT.


The Java sandbox gives an answer to the following question: Can the application do any harm to the phone or other applications in it? Java applications are run in a so-called sandbox, which means that the applications can't use any of the device's native interfaces; only the Java APIs are available. Although this is a disadvantage because software developers can't do everything with Java that they can do with C++, for example, it is primarily a benefit because they know the limits.

In MIDP, there are ways to perform some platform operations, such as making http connections or (in some MIDP 2.0 devices) making a telephone call. It is the platform's responsibility to ensure that none of these things happen without the user knowing about it. Of course, image galleries, contact lists, and calendar information are beyond the reach of developers. The benefit is that hostile applications can't steal the information and send it to Web servers.

If you have to secure the information sent over a plain HTTP connection, you can encrypt it. You don't have to implement the cryptographic algorithms yourself; just use one like the Bouncy Castles API.

Don't over look security on the server side. The server system (often a Web server) also needs to be secured, which means installing the security updates (for whichever operating system and Web server you are using), setting up the firewall properly, and performing the usual actions needed to secure a server system. You should also pay some attention to securing the database server. Placing both the Web server and the database server behind a firewall is always a good solution.

Security issues involved with mobile applications are about the same as with any other applications. If the application is a standalone application with no connections to the outer world, securing it is relatively easy. But if the application is networked, it takes same time and planning to make sure that the whole system is secure enough for the system's requirements.


Read more about Wireless security at InformIT.


 

This was first published in February 2004

Dig deeper on Mobile Device Security

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchConsumerization

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close