Java ME Security Domain Policies - download - Java

Java ME S ecurity Domain 

Policies 

Hartti S uomela 

Forum Nokia

Rough Overview of the Talk 

• S ecurity domains in theory 

• What’ s J ava Verified ? 

• What’ s coming in MIDP 3.0? 

• S ecurity domain implementation on Motorola , Nokia , and S ony- 

Ericsson devices 

• S ecurity domain implementations on operator branded devices 

• Top issues for J ava ME developers 

• Questions , answers and discussion 

• Disclaimer 

• I work for Forum Nokia 

• What is presented here for other manufacturers and for operators is gathered from 

documentation , online sources and from contacts in respective companies – 

changes may happen anytime 

© 2 0 0 8 Nokia Slide 2 

Company Confidential

Theory of S ecurity Domains 

• MIDP 2.0 specification contains RECOMMENDED 

Security Policy 

• Devices “ are expected to comply with this ..” 

• In real life ( small ) differences are abound 

• Main idea : Access to methods which are deemed security 

vulnerable is limited 

• Protect the privacy of the user 

• Protect the user from potential costs 

• This is all implemented with protection domains , 

certificates , function groups , default access rights , 

optional access rights , and user prompts 



Protection Domains 

• MIDP 2.0 & MIDP 2.1 specifications define FOUR protection 

domains 

MIDP 2.0 

Manufacturer Domain 

Operator Domain 

Trusted Third Party Domain 

Untrusted Domain 

MIDP 2.1 

Manufacturer Protection Domain 

Operator Protection Domain 

Identified Third Party Protection 

Domain 

Unidentified Third Party 

Protection Domain 

• Protection Domain Root Certificates are bind to Protection Domains 

• MIDlets are tied to protection domains by signing them with 

certificates derived from these Root Certificates 



Certificates – what are those? 

• Certificates are part of a Public Key Infrastructure 

( PKI) 

•Private key is used to sign the application 

• Can you can trust the signature in the application ? 

•Public key is used to verify that the signature is 

authentic 

• Embedded in the phone by the manufacturer 

• “ Root certificate ” belongs to one domain only 

• MIDP spec states that root certificates cannot be 

added after phone has been manufactured 

• nd 

Exceptions : Operator certificates on S IM, S 60 2 E dition devices 



Res tricted methods are grouped in Function 

Groups 

• Net access 

• MIDP spec also defines low - level net access, 

but this has been combined on many 

phones to the Net access function group 

• Messaging 

• MIDP spec also defines restricted messaging 

• Application auto -start 

• Local connectivity 

• Multimedia recording 

• Read user data ( including files and PIM) 

• Write / Edit user data ( including files and PIM) 

• Location 

• Landmark store 

• S mart card communication 

• Authentication 

• ( Call control ) 

• ( Phone call) 



Function groups and acces s rights 

• Access right can be one of the four options 

• Always allow / Blanket access 

• Ask first time / Ask once per session 

• Ask every time 

• Not allowed 

• Default access rights cannot be changed, 

users 

have to change them manually 

• How to change the settings ? – 

varies from phone to phone 



User prompts 

• If access is lower than “ Always allowed” 

the user is 

prompted before restricted method call 

• getS napshot – 

asked 

sometimes picture is taken before permission is 



Untrus ted / Unidentified 3 rd Party domain is 

mos t limited 

• Unidentified < Identified < Manufacturer / Operator 

• Manufacturer and Operator domains have “ Always allowed ” as 

default 

• MIDP 2.0 < MIDP 2.0.1 < MIDP 2.1 

• S igned MIDlets have potentially “ unlimited ” access to all APIs in 

MIDP 2.1 

• Note : Even signed MIDlets ( Identified 3 

rd Party 

Protection Domain ) do not have “ Always allowed” 

as default 

Users get prompted 

• Note : MIDP 1.0 MIDlets are executed in the 

Untrusted / Unidentified 3 

rd Party Domain 



What happens during signing and ins tallation? 

JAD file 

MIDlet-Name: 

MIDlet-Permissions: 

MIDlet-Vendor: 

-… 

Signing 

JAD file 

MIDlet-Name: 

MIDlet-Permissions: 

MIDlet-Vendor: 

-… 

MIDlet-Certificate-1-1 

MIDlet-Jar-RSA-SHA1 

• Installation time : 

• Does the device have the corresponding root certificate ? 

information correct? 

• No: 

Installation fails 

• Yes: 

Installation succeeds 

Is the 

© 2 0 0 8 Nokia Slide 1 0 


Java Verified 

• Industry endorsed application testing and signing program 

• MIDlets are tested against a certain criteria for a set of 

devices and signed after passing the test 

• Certificate : GeoTrust CA for UTI 

• The most widely available Identified 3 

rd Party Domain root 

certificate 

• Result : 

• The application ( J AR) 

cannot be altered 

• Application is installed to the Identified 3 rd party protection domain of the 

device 

• Better user experience : 

• The application is trusted by the device , no installation errors 

• The user has more options to control the application behaviour 

• Access to certain APIs 

• Note : Testing houses might not have new devices 

immediately after launch! 

© 2 0 0 8 Nokia Slide 1 1 


How does MIDP 3.0 change this picture? 

• Note : This is speculative , based on draft specification 

• Final specification is not ready 

• First devices coming out even further in the future 

• S ubstantial market penetration happening even later 

• MIDP 2 domain trust model with class based permissions 

• CLDC updated to include security / permissions related classes 

• External domain policy files 

• Communication between MIDlets 

• Not any more recommended security policy 

• Although wording allows deviations from the defined permissions 

• Additional protection domains are allowed for operators 

• S eparate function groups for sending and receiving messages 

• S ome CDC- related stuff ( system level access restrictions ) 

© 2 0 0 8 Nokia Slide 1 2 


S ecurity Policies on Nokia Devices 

•Certificates 

• UTI root for J ava Verified available on all phones since 2004 

• Notable exceptions : Nokia 6600, Nokia 3220 and Nokia 6230 

• Thawte and VeriS ign certificates available on most phones since 2005 

• 

• nd 

S 60 2 E dition phones allow users to install own certificates for MIDlet 

signing 

• rd 

This was fixed in S 60 3 Edition 

API access sort of following MIDP evolution 

• E xception : Messaging ( more restricted ) & P IM access on S 60 

• th 

S eries 40 5 E dition follows MIDP 2.1 

recommendation 

• Manufacturer signing requires Nokia branding 

• wiki . forum . nokia . com/ index . php / J ava_Security_Domains 

• forum . nokia . com/testing 

© 2 0 0 8 Nokia Slide 1 3 


S ecurity Policies on Motorola devices 


• UTI Root Certificate enabled for Trusted Third Party Domain use. 

• Begun shipping UTI inside the V360 product in 2005. 

• API access follows MIDP 2.0 guidelines 

• Login to http :// developer . motorola . com, “ Testing & Certification ” for 

• S igning Information . 

• Certificates Information . 

• Policy Information . 

• Manufacturer signing requires 

• Valid Partner Agreement to be in place . 

• S ee http :// developer . motorola . com for the requirements to become a 

partner. 

© 2 0 0 8 Nokia Slide 1 4 


S ecurity Policies on S ony Ericsson devices 


• UTI Root for J ava Verified available on all phones since 2005 

• 

Thawte and VeriS ign certificates available on most phones since 

2005 

• API access 

• Follows MIDP recommendations , although less limitations on J P-8 

phones ( read/ write user data ) 

• Also user can change the permission setting at the prompt 

• Manufacturer signing requires MIDlet to be Sony 

Ericsson owned or licensed 

• developer . sonyericsson . com/ getDocument . do? 

docId=99421 

© 2 0 0 8 Nokia Slide 1 5 


Operator phones behaving differently 

• U. S . 

• AT&T Wireless ( formerly known as Cingular ) – 

• S print – CDMA 

• T- Mobile U. S . – GS M 

•EMEA 

GS M 

• Hutchinson 3 G & Orange Israel – GS M 

•China 

• China Unicom – 

CDMA 

© 2 0 0 8 Nokia Slide 1 6 


AT&T Wireles s 

• Three versions of specifications available 

• No access from Unidentified 3 

rd party domain to 

• S ockets , user data , messaging , Bluetooth , camera , locationing , etc. 

• Identified 3 

rd party domain has about same limitations 

• One- shot access to messaging , camera 

• Certificates : VeriS ign , Thawte , UTI Root for MIDP 

• AT&T Preferred 

• S ort of like “ standard ” Identified 3 

rd party domain 

• AT&T Trusted 

• Operator domain 

• AT&T signing requires partnering with AT&T 

• Certified S olution Partners , ME dia Net and ME dia Mall Content Providers 

• http :// developer . att. 

com 

© 2 0 0 8 Nokia Slide 1 7 


S print 

• Unidentified 3 

rd party domain – no access to: 

• Read files or personal data 

• Edit files or personal data 

• Messaging 

• Capture / playback audio / video and take a snapshot 

• Locationing 

• No identified 3 


• Two certificates 

• S print Nextel Production Root Certificate 

• S print Nextel Developer Root Certificate 

• Inactive by default , need VeriS ign certificate to activate 

• http :// developer. sprint . com 

© 2 0 0 8 Nokia Slide 1 8 


T-Mobile U.S . 


rd party domain – no access to any 

restricted API 

• Identified 3 

rd party domain does not exist 

• S emi- Trusted T-Mobile 

• S ort of like “ standard ” Identified 3 


• 

No optional settings 

• Trusted T-Mobile 

• Operator domain 

• Testing / verification / signing by Tira Wireless 

© 2 0 0 8 Nokia Slide 1 9 


Hutchinson 3 / Orange Is rael 

• Note : Orange Israel Orange in general ! 

• Unidentified and Identified 3 

rd party domains have 

no access to: 

• User data 

• Locationing 

• S mart card 

© 2 0 0 8 Nokia Slide 2 0 


China Unicom 


rd Party domain – no access to: 

• platformRequest () 

• Network connections 

• Messaging 

• PushRegistry 

• Local connectivity 

• PIM access ( read and edit ) 

• UniJ a 3 D Graphics 

• UniJ a S tandby Mode 

• No Identified 3 

rd Party Domain 

• Operator domain has full access 

• Also a testing certificate is available – valid for 21 days 

© 2 0 0 8 Nokia Slide 2 1 


S ecurity domain top 10 is sues 

1. “ This is my device . I should be allowed to do what ever I want with 

it!” 

2. “ Can I change the default settings ?” 

3. 

Using certificates not available on the phones 

• E asy fix : Remove the MIDlet-Certificate-X-X and MIDlet-Jar-RSA-SHA1 

attributes and install the MIDlet as untrusted 

• Remember to list the permissions in the J AD file 

• Check time & date , insert S IM 

• The right amount of MIDlet-Certificate-X-Ys 

• S ocket access from unsigned app to ports 80, 8080, and 443 

• Could you use MIDlet-Permissions-Opt instead of MIDlet- 

Permissions? 

• Having too much information in the manifest ( changing the 

attributes would change the J AR file…) 

• Accept operator limitations or ( if possible ) learn to partner with them 

© 2 0 0 8 Nokia Slide 2 2 


My final words 

• Learn the basic terminology and recommended 

security policy 

• Remember that there is a lot of variance between 

implementations , including 

• Domains 

• Default and optional permissions 

• Certificates 

• User prompts 

© 2 0 0 8 Nokia Slide 2 3 


Time for Q&A and Dis cus sion 

• Thank you! 

© 2 0 0 8 Nokia Slide 2 4

Java ME Security Domain Policies - download - Java

Create successful ePaper yourself

Delete template?

Save as template?