Java ME Security Domain Policies - download - Java
Java ME Security Domain Policies - download - Java
Java ME Security Domain Policies - download - Java
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Java</strong> <strong>ME</strong> S ecurity <strong>Domain</strong><br />
<strong>Policies</strong><br />
Hartti S uomela<br />
Forum Nokia
Rough Overview of the Talk<br />
• S ecurity domains in theory<br />
• What’ s J ava Verified ?<br />
• What’ s coming in MIDP 3.0?<br />
• S ecurity domain implementation on Motorola , Nokia , and S ony-<br />
Ericsson devices<br />
• S ecurity domain implementations on operator branded devices<br />
• Top issues for J ava <strong>ME</strong> developers<br />
• Questions , answers and discussion<br />
• Disclaimer<br />
• I work for Forum Nokia<br />
• What is presented here for other manufacturers and for operators is gathered from<br />
documentation , online sources and from contacts in respective companies –<br />
changes may happen anytime<br />
© 2 0 0 8 Nokia Slide 2<br />
Company Confidential
Theory of S ecurity <strong>Domain</strong>s<br />
• MIDP 2.0 specification contains RECOM<strong>ME</strong>NDED<br />
<strong>Security</strong> Policy<br />
• Devices “ are expected to comply with this ..”<br />
• In real life ( small ) differences are abound<br />
• Main idea : Access to methods which are deemed security<br />
vulnerable is limited<br />
• Protect the privacy of the user<br />
• Protect the user from potential costs<br />
• This is all implemented with protection domains ,<br />
certificates , function groups , default access rights ,<br />
optional access rights , and user prompts<br />
© 2 0 0 8 Nokia Slide 3<br />
Company Confidential
Protection <strong>Domain</strong>s<br />
• MIDP 2.0 & MIDP 2.1 specifications define FOUR protection<br />
domains<br />
MIDP 2.0<br />
Manufacturer <strong>Domain</strong><br />
Operator <strong>Domain</strong><br />
Trusted Third Party <strong>Domain</strong><br />
Untrusted <strong>Domain</strong><br />
MIDP 2.1<br />
Manufacturer Protection <strong>Domain</strong><br />
Operator Protection <strong>Domain</strong><br />
Identified Third Party Protection<br />
<strong>Domain</strong><br />
Unidentified Third Party<br />
Protection <strong>Domain</strong><br />
• Protection <strong>Domain</strong> Root Certificates are bind to Protection <strong>Domain</strong>s<br />
• MIDlets are tied to protection domains by signing them with<br />
certificates derived from these Root Certificates<br />
© 2 0 0 8 Nokia Slide 4<br />
Company Confidential
Certificates – what are those?<br />
• Certificates are part of a Public Key Infrastructure<br />
( PKI)<br />
•Private key is used to sign the application<br />
• Can you can trust the signature in the application ?<br />
•Public key is used to verify that the signature is<br />
authentic<br />
• Embedded in the phone by the manufacturer<br />
• “ Root certificate ” belongs to one domain only<br />
• MIDP spec states that root certificates cannot be<br />
added after phone has been manufactured<br />
• nd<br />
Exceptions : Operator certificates on S IM, S 60 2 E dition devices<br />
© 2 0 0 8 Nokia Slide 5<br />
Company Confidential
Res tricted methods are grouped in Function<br />
Groups<br />
• Net access<br />
• MIDP spec also defines low - level net access,<br />
but this has been combined on many<br />
phones to the Net access function group<br />
• Messaging<br />
• MIDP spec also defines restricted messaging<br />
• Application auto -start<br />
• Local connectivity<br />
• Multimedia recording<br />
• Read user data ( including files and PIM)<br />
• Write / Edit user data ( including files and PIM)<br />
• Location<br />
• Landmark store<br />
• S mart card communication<br />
• Authentication<br />
• ( Call control )<br />
• ( Phone call)<br />
© 2 0 0 8 Nokia Slide 6<br />
Company Confidential
Function groups and acces s rights<br />
• Access right can be one of the four options<br />
• Always allow / Blanket access<br />
• Ask first time / Ask once per session<br />
• Ask every time<br />
• Not allowed<br />
• Default access rights cannot be changed,<br />
users<br />
have to change them manually<br />
• How to change the settings ? –<br />
varies from phone to phone<br />
© 2 0 0 8 Nokia Slide 7<br />
Company Confidential
User prompts<br />
• If access is lower than “ Always allowed”<br />
the user is<br />
prompted before restricted method call<br />
• getS napshot –<br />
asked<br />
sometimes picture is taken before permission is<br />
© 2 0 0 8 Nokia Slide 8<br />
Company Confidential
Untrus ted / Unidentified 3 rd Party domain is<br />
mos t limited<br />
• Unidentified < Identified < Manufacturer / Operator<br />
• Manufacturer and Operator domains have “ Always allowed ” as<br />
default<br />
• MIDP 2.0 < MIDP 2.0.1 < MIDP 2.1<br />
• S igned MIDlets have potentially “ unlimited ” access to all APIs in<br />
MIDP 2.1<br />
• Note : Even signed MIDlets ( Identified 3<br />
rd Party<br />
Protection <strong>Domain</strong> ) do not have “ Always allowed”<br />
as default<br />
Users get prompted<br />
• Note : MIDP 1.0 MIDlets are executed in the<br />
Untrusted / Unidentified 3<br />
rd Party <strong>Domain</strong><br />
© 2 0 0 8 Nokia Slide 9<br />
Company Confidential
What happens during signing and ins tallation?<br />
JAD file<br />
MIDlet-Name:<br />
MIDlet-Permissions:<br />
MIDlet-Vendor:<br />
-…<br />
Signing<br />
JAD file<br />
MIDlet-Name:<br />
MIDlet-Permissions:<br />
MIDlet-Vendor:<br />
-…<br />
MIDlet-Certificate-1-1<br />
MIDlet-Jar-RSA-SHA1<br />
• Installation time :<br />
• Does the device have the corresponding root certificate ?<br />
information correct?<br />
• No:<br />
Installation fails<br />
• Yes:<br />
Installation succeeds<br />
Is the<br />
© 2 0 0 8 Nokia Slide 1 0<br />
Company Confidential
<strong>Java</strong> Verified<br />
• Industry endorsed application testing and signing program<br />
• MIDlets are tested against a certain criteria for a set of<br />
devices and signed after passing the test<br />
• Certificate : GeoTrust CA for UTI<br />
• The most widely available Identified 3<br />
rd Party <strong>Domain</strong> root<br />
certificate<br />
• Result :<br />
• The application ( J AR)<br />
cannot be altered<br />
• Application is installed to the Identified 3 rd party protection domain of the<br />
device<br />
• Better user experience :<br />
• The application is trusted by the device , no installation errors<br />
• The user has more options to control the application behaviour<br />
• Access to certain APIs<br />
• Note : Testing houses might not have new devices<br />
immediately after launch!<br />
© 2 0 0 8 Nokia Slide 1 1<br />
Company Confidential
How does MIDP 3.0 change this picture?<br />
• Note : This is speculative , based on draft specification<br />
• Final specification is not ready<br />
• First devices coming out even further in the future<br />
• S ubstantial market penetration happening even later<br />
• MIDP 2 domain trust model with class based permissions<br />
• CLDC updated to include security / permissions related classes<br />
• External domain policy files<br />
• Communication between MIDlets<br />
• Not any more recommended security policy<br />
• Although wording allows deviations from the defined permissions<br />
• Additional protection domains are allowed for operators<br />
• S eparate function groups for sending and receiving messages<br />
• S ome CDC- related stuff ( system level access restrictions )<br />
© 2 0 0 8 Nokia Slide 1 2<br />
Company Confidential
S ecurity <strong>Policies</strong> on Nokia Devices<br />
•Certificates<br />
• UTI root for J ava Verified available on all phones since 2004<br />
• Notable exceptions : Nokia 6600, Nokia 3220 and Nokia 6230<br />
• Thawte and VeriS ign certificates available on most phones since 2005<br />
•<br />
• nd<br />
S 60 2 E dition phones allow users to install own certificates for MIDlet<br />
signing<br />
• rd<br />
This was fixed in S 60 3 Edition<br />
API access sort of following MIDP evolution<br />
• E xception : Messaging ( more restricted ) & P IM access on S 60<br />
• th<br />
S eries 40 5 E dition follows MIDP 2.1<br />
recommendation<br />
• Manufacturer signing requires Nokia branding<br />
• wiki . forum . nokia . com/ index . php / J ava_<strong>Security</strong>_<strong>Domain</strong>s<br />
• forum . nokia . com/testing<br />
© 2 0 0 8 Nokia Slide 1 3<br />
Company Confidential
S ecurity <strong>Policies</strong> on Motorola devices<br />
•Certificates<br />
• UTI Root Certificate enabled for Trusted Third Party <strong>Domain</strong> use.<br />
• Begun shipping UTI inside the V360 product in 2005.<br />
• API access follows MIDP 2.0 guidelines<br />
• Login to http :// developer . motorola . com, “ Testing & Certification ” for<br />
• S igning Information .<br />
• Certificates Information .<br />
• Policy Information .<br />
• Manufacturer signing requires<br />
• Valid Partner Agreement to be in place .<br />
• S ee http :// developer . motorola . com for the requirements to become a<br />
partner.<br />
© 2 0 0 8 Nokia Slide 1 4<br />
Company Confidential
S ecurity <strong>Policies</strong> on S ony Ericsson devices<br />
•Certificates<br />
• UTI Root for J ava Verified available on all phones since 2005<br />
•<br />
Thawte and VeriS ign certificates available on most phones since<br />
2005<br />
• API access<br />
• Follows MIDP recommendations , although less limitations on J P-8<br />
phones ( read/ write user data )<br />
• Also user can change the permission setting at the prompt<br />
• Manufacturer signing requires MIDlet to be Sony<br />
Ericsson owned or licensed<br />
• developer . sonyericsson . com/ getDocument . do?<br />
docId=99421<br />
© 2 0 0 8 Nokia Slide 1 5<br />
Company Confidential
Operator phones behaving differently<br />
• U. S .<br />
• AT&T Wireless ( formerly known as Cingular ) –<br />
• S print – CDMA<br />
• T- Mobile U. S . – GS M<br />
•E<strong>ME</strong>A<br />
GS M<br />
• Hutchinson 3 G & Orange Israel – GS M<br />
•China<br />
• China Unicom –<br />
CDMA<br />
© 2 0 0 8 Nokia Slide 1 6<br />
Company Confidential
AT&T Wireles s<br />
• Three versions of specifications available<br />
• No access from Unidentified 3<br />
rd party domain to<br />
• S ockets , user data , messaging , Bluetooth , camera , locationing , etc.<br />
• Identified 3<br />
rd party domain has about same limitations<br />
• One- shot access to messaging , camera<br />
• Certificates : VeriS ign , Thawte , UTI Root for MIDP<br />
• AT&T Preferred<br />
• S ort of like “ standard ” Identified 3<br />
rd party domain<br />
• AT&T Trusted<br />
• Operator domain<br />
• AT&T signing requires partnering with AT&T<br />
• Certified S olution Partners , <strong>ME</strong> dia Net and <strong>ME</strong> dia Mall Content Providers<br />
• http :// developer . att.<br />
com<br />
© 2 0 0 8 Nokia Slide 1 7<br />
Company Confidential
S print<br />
• Unidentified 3<br />
rd party domain – no access to:<br />
• Read files or personal data<br />
• Edit files or personal data<br />
• Messaging<br />
• Capture / playback audio / video and take a snapshot<br />
• Locationing<br />
• No identified 3<br />
rd party domain<br />
• Two certificates<br />
• S print Nextel Production Root Certificate<br />
• S print Nextel Developer Root Certificate<br />
• Inactive by default , need VeriS ign certificate to activate<br />
• http :// developer. sprint . com<br />
© 2 0 0 8 Nokia Slide 1 8<br />
Company Confidential
T-Mobile U.S .<br />
• Unidentified 3<br />
rd party domain – no access to any<br />
restricted API<br />
• Identified 3<br />
rd party domain does not exist<br />
• S emi- Trusted T-Mobile<br />
• S ort of like “ standard ” Identified 3<br />
rd party domain<br />
•<br />
No optional settings<br />
• Trusted T-Mobile<br />
• Operator domain<br />
• Testing / verification / signing by Tira Wireless<br />
© 2 0 0 8 Nokia Slide 1 9<br />
Company Confidential
Hutchinson 3 / Orange Is rael<br />
• Note : Orange Israel Orange in general !<br />
• Unidentified and Identified 3<br />
rd party domains have<br />
no access to:<br />
• User data<br />
• Locationing<br />
• S mart card<br />
© 2 0 0 8 Nokia Slide 2 0<br />
Company Confidential
China Unicom<br />
• Unidentified 3<br />
rd Party domain – no access to:<br />
• platformRequest ()<br />
• Network connections<br />
• Messaging<br />
• PushRegistry<br />
• Local connectivity<br />
• PIM access ( read and edit )<br />
• UniJ a 3 D Graphics<br />
• UniJ a S tandby Mode<br />
• No Identified 3<br />
rd Party <strong>Domain</strong><br />
• Operator domain has full access<br />
• Also a testing certificate is available – valid for 21 days<br />
© 2 0 0 8 Nokia Slide 2 1<br />
Company Confidential
S ecurity domain top 10 is sues<br />
1. “ This is my device . I should be allowed to do what ever I want with<br />
it!”<br />
2. “ Can I change the default settings ?”<br />
3.<br />
Using certificates not available on the phones<br />
• E asy fix : Remove the MIDlet-Certificate-X-X and MIDlet-Jar-RSA-SHA1<br />
attributes and install the MIDlet as untrusted<br />
• Remember to list the permissions in the J AD file<br />
• Check time & date , insert S IM<br />
• The right amount of MIDlet-Certificate-X-Ys<br />
• S ocket access from unsigned app to ports 80, 8080, and 443<br />
• Could you use MIDlet-Permissions-Opt instead of MIDlet-<br />
Permissions?<br />
• Having too much information in the manifest ( changing the<br />
attributes would change the J AR file…)<br />
• Accept operator limitations or ( if possible ) learn to partner with them<br />
© 2 0 0 8 Nokia Slide 2 2<br />
Company Confidential
My final words<br />
• Learn the basic terminology and recommended<br />
security policy<br />
• Remember that there is a lot of variance between<br />
implementations , including<br />
• <strong>Domain</strong>s<br />
• Default and optional permissions<br />
• Certificates<br />
• User prompts<br />
© 2 0 0 8 Nokia Slide 2 3<br />
Company Confidential
Time for Q&A and Dis cus sion<br />
• Thank you!<br />
© 2 0 0 8 Nokia Slide 2 4<br />
Company Confidential