Lock down J2ME applications with Kerberos, Part 1: Introducing Kerberos data formats
Users need assurance that the wireless applications they use won't compromise their sensitive information. One way to do that is to use industry-standard protocols like Kerberos to provide security. In this series, Faheem Khan will build a sample J2ME MIDlet that uses Kerberos to protect financial data. In this first article of the series, he lays the foundation by explaining the Kerberos data formats that will provide the backbone for his application's security.
MIDP Application Security 2: Understanding SSL and TLS
Transport Layer Security (TLS) is a protocol that enables authentication and data encryption over insecure networks. It is implemented as a layer between TCP/IP and higher-level network protocols like HTTP, SMTP, and NNTP. The implementation of SSL in web browsers is nearly seamless for users, providing cryptographic authentication and session-based encryption at a minimal cost in ease of use. This article describes TLS and its close cousin, Secure Sockets Layer (SSL). You'll learn how MIDP (the Mobile Information Device Profile) 1.0 and MIDP 2.0 support TLS and SSL, code some examples, and get an understanding of the security level of TLS and SSL.
MIDP Application Security 3: Authentication in MIDP
Devices that communicate over an insecure network like the Internet need to prove their identity to each other, a process called authentication. This article describes techniques MIDP clients can use for authentication. The MIDP 1.0 provides no direct API support for authentication. MIDP 2.0 does support server authentication with HTTPS, but still lacks mechanisms for client authentication. The most trustworthy methods of authentication are based on secrets, little pieces of information that are not widely known. A password is one example of a secret; a private cryptographic key is another. Presenting the password or proving that you possess a private key are two methods of authentication. In this article you'll read about these techniques and others, applied specifically in MIDP clients.
Securing your J2ME/MIDP apps
XML digital signature technology can help you implement lightweight and flexible security solutions for wireless Web services applications. In this article, Michael Yuan discusses the importance of XML digital signatures and their application. He also walks through the digital signature APIs of the Bouncy Castle cryptography package, providing examples in the context of secure XML messaging between a J2ME/MIDP wireless front end and a JSP page back end.
Understanding MIDP 2.0's Security Architecture
One of the reasons MIDP is such a good platform for mobile devices is the security it offers. Part of this is inherent in the Java programming model: MIDlet code runs within the confines of a virtual machine, which means it is immune to some of the spectacular failures binary code may exhibit. Badly written or maliciously written binary code can render a device inoperable. At worst, badly written Java code will bring its Java environment to a halt, leaving the rest of the device unharmed. The security support designed into MIDP 2.0 doesn't end with the JVM, however. This article describes other MIDP 2.0 features that protect users and their devices from malicious software. You'll use the J2ME Wireless Toolkit 2.0 (beta 2 or later) to learn how to work with MIDP 2.0's security architecture.
Wireless Java Security
The Mobile Information Device Profile (MIDP), which is built on top of the Connected Limited Device Configuration Profile (CLDC), allows you to develop wireless Java applications that can be downloaded over the air from open networks. Once downloaded, they can run on the user's device. Should the user be worried about security issues, such as corrupting the cellular phone, deleting data from the device, or transferring data to a remote server? This article explains wireless Java security issues and solutions.
