Java Security on Mobile Devices
With new technologies, security is a key issue that is always brought up in conversations. But quite often we fail to see the big picture. For example, with Java applications (MIDlets as they are called), the usual answer to the question about security is "Yes it is secure, it's the Java sandbox thing." The typical attitude forgets the big picture and fails to see other quite-obvious possibilities.
What Do We Mean by Security?
What kind of security do we mean? Are we concerned about the software doing something harmful to the mobile device or are we concerned about other people getting their hands on the information we have in the application?
How about if someone steals your phone while it's not locked? This allows him or her to use all the applications in your phone and read all the information you entered in the device. This security threat is so obvious that some companies have denied the use of PDAs.
If we manage to secure the application in the device and pay extra attention to not losing the device itself, what else can go wrong? If the application is a networked application and thus uses a server to store or forward information, the connection can be "listened to" and the server can be attacked.
Thus, we come to the same conclusion as with any other type of applications: there are some new aspects, but all the old ones are still there to worry about. Figure 1 demonstrates the environment you might be dealing with. The mobile device itself is on the left; then you see the mobile phone network and IP network; and the Web server and database server are on the right.
Figure 1 The architecture of a simple networked MIDlet.
This article first takes a look at the famous Java sandbox, discusses ways to secure the information being sent from the device to the server, and finally looks at securing the server or servers.