Contents Previous Next Index

Chapter   3

Using MIDP Security Features


The MIDP 2.0 specification defines a security model that requires MIDlets to have permission to use security-sensitive APIs. This is different from the MIDP 1.0 security model, which had all MIDlet suites operate in a sandbox that prevented access to sensitive APIs or functions of the device.

This chapter explains the security model as the MIDP Reference Implementation implements it, and how to use it. It has the sections:

Overview

This section defines the terms used in the security model. It has the topics:

Trusted and Untrusted MIDlets

The security model defines two types of MIDlet suites:

An untrusted MIDlet suite runs in a restricted environment where access to protected APIs or functionality is either not allowed or is allowed only with explicit user permission. A trusted MIDlet suite can be run in a less restricted environment.

The MIDP Reference Implementation determines whether it can trust a signed MIDlet suite by following the certificate chain of suite’s digital signature. A certificate chain is a series of certificates: the first certificate contains the public key that can be used to check the signature of the JAR file; the second certificate, if present, vouches that the first certificate valid, and the third certificate, if present, vouches that the second certificate is valid, and so on until a root certificate is reached. The root certificate does not have another entity vouching for it; it is self-signed. (It is also possible that the first certificate is self-signed. That is the simplest certificate chain.) The certificate chain, except for the root certificate, is in the MIDlet suite’s JAD file. The entity at the root of the certificate chain must have its information present on the device. The following figure shows an example certificate chain:

JAD file with 2 certificates, and device with the root CA certificate

FIGURE 31  –  Example Certificate Chain

Root certificates are issued and signed by certificate authorities (CAs), which are well known, trusted entities. MIDlet developers might also use root certificates from network operators. For testing purposes, a developer can use a less official certificate as a root certificate, such as dummyca from the JCA keystore at midpInstallDir/bin/j2se_test_keystore.bin (the readme.txt file in that directory has the passwords) or a certificate generated using the keytool utility of the Java™ 2 Platform, Standard Edition (J2SE™). See
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html for more information.)

By being the root of a certificate chain, the entity says that it knows that the MIDlet is a legitimate application, not a malicious one. The root signer of a certificate chain must be one accepted by the device (in this case, the MIDP Reference Implementation’s device emulator) or the MIDlet suite will not be installed or run. (See Chapter 4, "Managing Public Keys of Certificate Authorities” for more information on adding a CA’s public key to the device emulator.)

A trusted MIDlet suite can be granted access to security-sensitive APIs and functionality, within the bounds of the device emulator’s security policy. A security policy associates MIDlets with protection domains. Protection domains list the security-sensitive APIs or functionalities that the device will allow the associated MIDlet suites to access, sometimes only after getting approval from the user. They are lists of permissions. (See "Protection Domains" for more information.)

Permissions

Permissions identify the security-sensitive APIs or functionalities to which the device limits access. The name of a permission indicates what it is protecting. If a permission is protecting functionality provided by a package, the permission has the package name as a prefix. If a permission is protecting functionality provided by a class, its name must include both the package and class name. For example, a permission that protects the functionality provided by the PushRegistry class (the class that a MIDlet uses to have the device launch it to receive an incoming message; in other words, to use the push functionality) is called javax.microedition.io.PushRegistry.

The MIDP 2.0 specification defines the following permissions:

TABLE 1  –  Permission Names Defined in the MIDP 2.0 Specification
Functionality
Permission Name
HTTP protocol
javax.microedition.io.Connector.http 
HTTPS protocol
javax.microedition.io.Connector.https 
Datagram protocol
javax.microedition.io.Connector.datagram 
Datagram server protocol
(without host)
javax.microedition.io.Connector.datagramreceiver 
Socket protocol
javax.microedition.io.Connector.socket 
Server socket protocol (without host)
javax.microedition.io.Connector.serversocket 
SSL protocol
javax.microedition.io.Connector.ssl 
Comm protocol
javax.microedition.io.Connector.comm 
Use the registry that holds information on MIDlets that will be launched to handle incoming messages
javax.microedition.io.PushRegistry 

Protection Domains

A protection domain defines a set of permissions that can be granted to MIDlet suites. The set does not contain every permission available, but lists only the permissions for which the protection domain can grant access. If a permission does not appear in a protection domain, then the MIDlet suites associated with the domain are denied access to that protected functionality.

To explain protection domains more fully, this section has the topics:

Interaction Modes

A protection domain defines the maximum level of access a MIDlet suite can be granted to each permission in its permission set. Each can be either an:

The user permission interaction modes in the protection domain are the highest levels of access that a user may grant to a MIDlet suite. A protection domain can also associate a default interaction mode with a user permission. The default is the interaction mode that the device could suggest to a user. For example, consider a device that requests permission by presenting interaction modes in an exclusive choice list. (The interaction modes might be presented in choices like, “No, Not this time,” “Yes this time, and ask me again next time,” “Yes from now on. Don’t ask again,” and so on.) In this case, the device would use the default to determine which element of the list to preselect.

Built-in Protection Domains

The MIDP Reference Implementation provides the following protection domains:

As the domain descriptions illustrate, the lists of permissions associated with a protection domain can be long. To make protection domains easier to manage, they can contain aliases. An alias is a name for a group of permissions. When a protection domain uses an alias for one or more of its permissions, it grants the same level of access to all the permissions in that alias.

Associating MIDlet Suites and Protection Domains

The MIDP Reference Implementation treats signed and unsigned MIDlet suites differently when assigning protection domains. If a MIDlet suite is unsigned, you can force it into any domain when you use the command-line to install it or temporarily download and run it. (Using the command-line is described in Chapter 2, "Using the midp Executable.”) If it is not forced, the MIDP Reference Implementation assigns an unsigned MIDlet suite to the untrusted domain.

If the MIDlet suite is signed, the MIDP Reference Implementation will assign it to the domain associated with an entity that signed the suite. That is, the device emulator holds the public keys of certificate authorities. When you enter a public key into the device emulator, you associate the key with a domain. (See "Importing a Key" for more information.) When the MIDP Reference Implementation checks the MIDlet suite’s digital signature, it uses a CA’s public key. It then assigns the MIDlet suite to the protection domain associated with that public key, if it determines that it can trust the suite.

The Authorization Process

Authorization is an interaction between the needs of the MIDlet suite to use protected APIs, and the permission policies of the device. For trusted MIDlet suites there are two times that the MIDP implementation checks permissions. The first is when the user tries to put the MIDlet suite on the device; the second is when a MIDlet in the suite calls a protected API:

MIDP checks the permissions of untrusted MIDlets only when they call a protected API.

Managing the Security Policy

The MIDP Reference Implementation defines its security policy in the file midpInstallDir\appdb\_policy.txt, where midpInstallDir is the directory that holds your MIDP installation. The policy file defines the following aliases, to make the file easier to read and maintain:

It also has the four domains listed previously, minimum, maximum, trusted, and untrusted. In the untrusted domain, the permissions have a user permission of blanket and a default level of session. CODE EXAMPLE 1 shows the policy file.

CODE EXAMPLE 1 The midpInstallDir\appdb\_policy.txt File
alias: net_access 
  javax.microedition.io.Connector.http, 
  javax.microedition.io.Connector.socket, 
  javax.microedition.io.Connector.https, 
  javax.microedition.io.Connector.ssl, 
  javax.microedition.io.Connector.datagram, 
  javax.microedition.io.Connector.serversocket, 
  javax.microedition.io.Connector.datagramreceiver 
 
alias: application_auto_invocation 
  javax.microedition.io.PushRegistry 
 
alias: local_connectivity 
  javax.microedition.io.Connector.comm 
 
domain: minimum 
 
domain: maximum 
  allow: net_access 
  allow: application_auto_invocation 
  allow: local_connectivity 
 
domain: trusted 
  allow: net_access 
  allow: application_auto_invocation 
  allow: local_connectivity 
 
domain: untrusted 
  blanket(session): net_access 
  blanket(session): application_auto_invocation 
  blanket(session): local_connectivity 

You can change this file with any text editor.


Note – Do not change this file in a way that is incompatible with the MIDP 2.0 Specification or with the MIDP TCK.

The MIDP 2.0 Specification mandates that a MIDP 2.0 implementation be able to run MIDP 1.0 MIDlets and keep the HTTP and HTTPS functionality protected. This means that the untrusted domain must have a user level of access for the following permissions:

  javax.microedition.io.Connector.http 
  javax.microedition.io.Connector.https 

See TABLE 1 for the list of permissions defined by the MIDP 2.0 Specification. See the documentation that comes with your TCK for its security requirements.

 


Contents Previous Next Index Using MIDP
MIDP Reference Implementation, Version 2.0 FCS