Java 2 Micro Edition, used mainly in portable devices, is seen as a relatively safe programming environment. There are, however, ways of attacking mobile applications. Mostly, they take advantage of the inattention or carelessness of application programmers and distributors.
What you will learn…
- how to attack applications created with Java 2 Micro Edition,
- how to attack portable devices in MIDP standard,
- how to secure your own programs written in J2ME.
What you should know…
- the basics of Java programming,
- what is SSL (Secure Socket Layer)
J2ME (Sun Microsystems Java 2 Micro Edition) is gaining popularity rapidly. Practically, all mobile phone manufacturers offer devices that allow to download, install and run applications written in this variant of Java – among others games and simple utilities. The presence of J2ME in PDA (Portable Digital Assistant) devices is no longer a novelty either. The programmers create more and more sophisticated applications, processing data of increasing signifi cance (not to mention electronic banking). That all makes the problem of J2ME application security increasingly important. Let us have a closer look at the scenarios of possible attacks on portable devices using this version of Java. Remember that such methods mainly take advantage of human – both programmers’ and users’ – inattention. The programming environment itself is designed well.
Scenario 1 – MIDlet spoofing
Installation of most applications in portable devices requires their earlier downloading from the Internet. But, as a matter of fact, how is a user to know what kind of application they are downloading? Perhaps it is possible to convince them to download a virus into their device? There is a method of deceiving the user, so that they download and install another application than they had expected. Each mobile application (MIDlet Suite) consists of two parts – a .jar fi le, an archive containing the application with its manifest fi le, and a .jad fi le, being a descriptor (description) of the programs packed (see Frame Application descriptor fi le). Let us assume that we want to spoof an existing, very popular application – XMLmidlet, a newsreader – and then to make users download our application into their devices, believing they are downloading the right product.