Learning Path: MIDP Application Security

Print-friendly Version

Prerequisites     Java Tutorial New to Java Programming Center Learning Path: Getting Started with MIDP       Resources     Applied Cryptography CERT Coordination Center Counterpane Internet Security, Inc.       Related Materials           About MIDP Application Security     Audience: Advanced Estimated time: 12 hours

This learning path imparts the basics of application security and shows you how to apply that knowledge in applications that include MIDP clients. There are four main sections. First, Overview provides basic information on application security and cryptography. Next, Application Security in MIDP details how MIDlets run and interact with the underlying security implementation. Then Cryptography in MIDP delves into the specifics of cryptography. Finally, Further Reading provides resources for readers who wish to explore security more broadly.

To benefit fully from this learning path, you first must understand basic MIDP programming. If you need to get up to speed, try our Getting Started with MIDP learning path.

• Overview
• Application Security in MIDP
• Cryptography in MIDP
• Further Reading

• MIDP Application Security 1: Design Concerns and Cryptography provides a broad overview of the need for application security and how cryptography addresses this need.
• Trail: Security in Java 2 SDK 1.2, part of the Java Tutorial, describes the tools and techniques for securing J2SE applications. Most of the conceptual material applies to MIDP, although of course many of J2SE's features are not available directly in MIDP. Don't get bogged down in the details, but make sure you understand why application security is important and how, in general, security is implemented in J2SE.

• Wireless Java Security describes at a high level the application security model for MIDP 1.0. It covers how applications run inside a Java Virtual Machine, the bytecode-verification process, and the security constraints of the MIDP environment.
• Understanding MIDP 2.0's Security Architecture is a broad overview of MIDP 2.0's application security model. You'll learn how MIDlets can request permission for sensitive operations, how protection domains contain MIDlets, and how to use the J2ME Wireless Toolkit to sign a MIDlet suite.

• MIDP Application Security 2: Understanding SSL and TLS gives an overview of how TLS (and its close cousin, SSL) provide data security over insecure networks. You'll learn how the TLS protocol works in some detail before diving into the specifics of its implementation in MIDP 1.0 and 2.0.
• Secure Java MIDP Programming Using HTTPS with MIDP provides another angle on using HTTPS in the MIDP 1.0 world. It also describes how to configure Tomcat to provide HTTPS service.
• MIDP Application Security 3: Authentication in MIDP examines the problem of proving identity. It includes source code for a MIDlet that authenticates itself to a server using a digital signature and a certificate.

• The CERT Coordination Center provides up-to-the-minute advisories and alerts on all sorts of security vulnerabilities. Although most of its information has to do with operating systems and desktop applications rather than mobile devices, it does provide an excellent view on the world of computer security and the kinds of vulnerabilities that attackers exploit.
• Lance Spitzner has written many fascinating papers about The Honeynet Project, in which he sets up vulnerable systems and observes attackers as they probe and take control. Some of these are now published as a book, Know Your Enemy.