Malicious MIDlet?!

[koelschejung],

To open a HTTP connection from a MIDlet, one has to launch that MIDlet. The user must intervene and launch that MIDlet hence wouldn't this be the responisibility of the mobilephone user whether or not he wishes to launch the MIDlet?

This is the reason why even if there is just one MIDlet in a MIDlet suite on a mobilephone, one still gets the menu option to launch the MIDlet by having the user explicitly selecting the application.

As for OTA (over-the-air) installation of a MIDlet onto mobilephone devices, a user must explicitly agree to install the MIDlet by pressing a button to indicate acceptance of a MIDlet to be installed onto the phone. This is a security measure in itself already.

HTH.

Allen Lai

Developer Technical Support

SUN Microsystems

http://www.sun.com/developers/support/

allenlai at 2007-7-1 15:04:06 >

This is true but has always been the case sense release of the first malicious program. I beleive that

this is more a job for the Operating System to validate

trusted and untrusted bytecodes than it is of the programming language. Any time were there is a network type connection to a computing device you run the risk of becoming infected by a virus or backdoor. I'm sure

there are plenty of cases of people decompiling trusted

programs and opening up a "Backdoor" for them to "Rape"

your system at there disposal. One comes to a point where implementing more security policies and checkpoints creates more difficulty than security.

I have seen a Visual Basic(****) program on the Computer Chronicles(PBS) where an unknowing computer user opens a game sent through an e-mail. While the user is enjoying himself pieing Bill Gates in the face

the Game runs the driver for your microphone and records every thing going on in the room while the game is being played Which could easily be transfered to a

waiting Server for further use of exploiting this given user.

So what it comes down to is that the only way you will be completly safe from the attack of malicious

codes is to run what we call an AIRWALL around here.

which simply means to unplug you system from the network. In the real world this is not an option.

Hope you enjoyed my incoherent rambilings,

--Ian

IanMechura at 2007-7-1 15:04:06 >

<b>

This is one of the major interest of "open" type development communities. Some would say that having

to compile a program that you downloaded off the web

before you could use it is a major pain and the main reason many "open" projects will never make a real go in the software market. But, just like the example of the game that runs a malicious program in the background while it's entertaining you, If you would have had the sorce code for this game certainly anyone with

even elementary programming skills would know that it does not require an http, ftp, ppp connection or acces to a serial driver just to display logically orginized graphics on the screen and doe a little math. Which would almost definately be relayed around the world to make people aware about this threat. So, this security measure in question all leads down to only installing software aquired from a trusted source or

reading the sources of un-trusted software when available.

</b>

Good chat,

Ian Mechura

dba@ghg.net

IanMechura at 2007-7-1 15:04:06 >

I have'nt yet developed all that much knowledge of the working of these devices, simply because of lack of equipment (and budget) but what you say sounds like a good idea. It actually should be your choice when you get your device to ask you before installing a MIDlet.

Since these Mobile O.S's are still new to most of us

I think the major companies like Palm and Microsoft still have the chance to design there upcoming operating Systems from a more secure basis so they do

not run into what Microsoft ran into by throwing all there work, money and time into developing an O.S. later to find that the computer world was a much more devious unsecure place than they had suspected. Maybe

they should make a small mock of the unix System for this, You know REAL password protection. Groups and file permissions would be almopst irrelevent since there would only need two modes root and user(there would only be one user).

Have you heard of a TINI. it is a complete computer

with a Unix based O.S. that has a kernel written completely in Java. The whole thing fits on one SIMM Ram stick. if you would like to check it out the last time I read about it it was at www.dalsemi.com.

--Ian

IanMechura at 2007-7-1 15:04:06 >