1-by-1 black pixel for creating lines
1-by-1 black pixel for creating lines
EricGiguere.com > Eric's J2ME Pages > J2ME Security
Printer-friendly version Set your preferences
Read my blogs on AdSense and affiliate marketing
 Eric's J2ME Pages 
•  Overviews
•  FAQs
•  Fallacies
•  Acronyms
Special Topics
•  Security
•  Web Services
•  XML
•  CDC
•  IMP
•  FP
•  PBP
•  PP
Optional Packages
•  WMA
•  Tools
•  Mailing Lists
•  Forums
•  Other


J2ME Security

Security is a concern in J2ME environments because J2ME devices tend to be handheld or otherwise mobile devices. Losing the device could be disastrous if you have sensitive or confidential data on the device. Network security is also an issue, especially in mobile devices using public wireless networks.

Network Security

The simplest way to keep your data safe is to communicate using the HTTPS or SSL protocols. Unfortunately, not all devices support one of these protocols. Those that do typically support HTTPS, not SSL — any kind of direct socket-based connection is rare to find and will certainly tend to be carrier-specific. Unless you have a specific requirement for socket-based connections, plan to tunnel your networking over HTTPS.

If HTTPS is not available, you must fallback to using HTTP. If sending data in unencrypted form is simply unacceptable, you will need to add your own encryption code to both ends of the HTTP conversation, using encryption routines from toolkits like Phoas (commercial) or The Bouncy Castle Crypto APIs (open source). Note that some platforms — especially RIM's BlackBerry handhelds — include built-in encryption APIs, so be sure to check those out. (You may still want to use a separate toolkit, though, if you need to write applications that are portable across a wide variety of devices.)

My tech tip Data Encryption for J2ME Profiles is a good place to start for more details.

Data Security

Keeping the data safe on the device also requires encryption, and for that you probably have to use a toolkit: even if HTTPS is available on your device, the encryption code probably isn't exposed.

For MIDP devices, data persistence is done through the Record Management System (RMS), which operates solely on byte arrays. The RMS doesn't know or care about what you're storing, so you're free to encode the data however you want. For safety, then, you can encrypt the data before you store it and decrypt it when you retrieve it. There will be a performance penalty, and it may be substantial for certain devices, especially those where RMS operations are slow to begin with. You'll have to run some tests to see if the penalty is acceptable.

If you encrypt the data, you'll need to prompt the user for a password. Remember that most J2ME devices do not have a full-size keyboard, so entering alphanumeric sequences can be challenging. If you do prompt for alphanumeric characters, don't use a "password field" that hides the characters as they're typed, otherwise the user will never know if they've entered the right values or not — when a keypad is used to enter alphabetic characters, each key maps to several different characters. A better approach is to use a numeric password (commonly referred to as a PIN), though it offers less security. Still, if passwords are too hard to enter then your users will curse you and turn off the security features if you've made them optional.

Learn about these ads
Google Web www.ericgiguere.com   
1-by-1 black pixel for creating lines
Copyright ©2003-2012 Eric Giguere | Send mail about this page | About this site | Privacy policy
Site design and programming by Eric Giguere | Hosting by KGB Internet Solutions
This site is Java-powered
Other sites: The Unofficial AdSense Blog | Google Suggest Explorer | Invisible Fence Guide | Synclastic
This page was last modified on March 16, 2004
1-by-1 black pixel for creating lines
1-by-1 black pixel for creating lines