Attacks on Java 2 Micro Edition Applications

Java 2 Micro Edition, used mainly in portable devices, is seen as a relatively safe programming environment. There are, however, ways of attacking mobile applications. Mostly, they take advantage of the inattention or carelessness of application programmers and distributors.

What you will learn…

  • how to attack applications created with Java 2 Micro Edition,
  • how to attack portable devices in MIDP standard,
  • how to secure your own programs written in J2ME.

What you should know…

  • the basics of Java programming,
  • what is SSL (Secure Socket Layer)

J2ME (Sun Microsystems Java 2 Micro Edition) is gaining popularity rapidly. Practically, all mobile phone manufacturers offer devices that allow to download, install and run applications written in this variant of Java – among others games and simple utilities. The presence of J2ME in PDA (Portable Digital Assistant) devices is no longer a novelty either. The programmers create more and more sophisticated applications, processing data of increasing signifi cance (not to mention electronic banking). That all makes the problem of J2ME application security increasingly important. Let us have a closer look at the scenarios of possible attacks on portable devices using this version of Java. Remember that such methods mainly take advantage of human – both programmers’ and users’ – inattention. The programming environment itself is designed well.

Scenario 1 – MIDlet spoofing

Installation of most applications in portable devices requires their earlier downloading from the Internet. But, as a matter of fact, how is a user to know what kind of application they are downloading? Perhaps it is possible to convince them to download a virus into their device? There is a method of deceiving the user, so that they download and install another application than they had expected. Each mobile application (MIDlet Suite) consists of two parts – a .jar fi le, an archive containing the application with its manifest fi le, and a .jad fi le, being a descriptor (description) of the programs packed (see Frame Application descriptor fi le). Let us assume that we want to spoof an existing, very popular application – XMLmidlet, a newsreader – and then to make users download our application into their devices, believing they are downloading the right product.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s