MIDP security

Java ME implementation in Symbian and Series 40 devices complies with the security model specified in

  • MIDP 2.1 (Mobile Information Device Profile 2.1, JSR-118)

  • MSA 248 (Mobile Service Architecture, JSR-248)

The MIDP security model defines a code signing scheme based on X.509 Public Key Infrastructure, (PKI). Code signing is used to verify the integrity and origin of installed applications and to determine the level of trust the device has for the application.

The MIDP security model also specifies access control to protected functions available in the Java ME environment. The level of trust the device has for the application determines whether or not the application is granted access to a certain protected function. Access can be either direct or after end user approval.

Why MIDP security?

Java ME defines an application environment for mobile devices enabling third-party applications to be installed and executed in them. Environments that enable 3rd Party applications are expected to offer the level of security that can protect end users interests against badly defined or badly behaving applications. The device must have means to securely execute applications that are using potentially harmful functions that may incur costs for the end user or may compromise end user privacy. For example making phone calls, sending SMS/MMS messages, connecting to network or other devices nearby, accessing and modifying user data like calendar and contacts, and sending user data to network or other devices. MIDP security provides the mechanism for controlled and secure access.

For more information, see MIDP application security in Nokia devices.

Why sign your MIDlet Suite?

It is advised that you digitally sign your applications before starting to distribute them. Here are four important reasons for doing so:

  • Acceptance - many application distribution channels like Nokia Store require applications to be signed before accepting them for distribution

  • User experience - the end user experience of trusted MIDP applications is better than of untrusted ones, because of fewer security prompts shown to the end user

  • Tamper proofing - by digitally signing an application it can be ensured that malicious parties cannot tamper with your application in any phase of the delivery chain, and cause harm to end users

  • Credibility - credible players in the application industry are security aware and constantly drive practises that benefit the application ecosystem and protect end user interests

For more information, see Signing a MIDlet suite.