The recent release of MIDP (Mobile Information Device Profile) features a major improvement over version 1.0. Version 2.0 includes enhanced mobile code and application security through a well-defined security manager and provisioning process. On the data and communication security front, MIDP 2.0 makes HTTPS support mandatory. HTTPS is currently the most widely used data security protocol in PersonalJava and J2ME/CDC (Java 2 Platform, Micro Edition/Connected Device Configuration) applications.
Although HTTPS proves sufficient for most of today's Internet commerce applications, future mobile applications demand more flexible, customizable, and better-optimized security schemes. In this article, I discuss the security requirements of future mobile commerce and how third-party J2ME tools can help developers meet those requirements.
I begin by discussing advanced mobile commerce security requirements and why HTTPS alone is not sufficient.
Content-based security
HTTPS, SSL, (Secure Socket Layer), and TLS (Transaction Layer Security) are connection-based security protocols. The basic idea is to secure communication channels and hence, secure everything that passes through those channels. This approach has several problems:
* Direct connection between client and server must be established: If our application has multiple intermediaries to provide value-added services, multiple HTTPS connections must be piped together. That not only opens potential security holes at connecting nodes, but also creates a public key certificate management nightmare. Figure 1 illustrates an example mobile transaction involving multiple intermediaries.
*
* All content is encrypted: In some application scenarios, such as broadcasting stock quotes or getting multilevel approval of a transaction, parts of the communication should be open. Yet we still want to verify the authenticity of those quotes and approval signatures. Connection-based security is no use here. Unnecessarily encrypting all content also introduces more processing overhead.
* HTTPS is inflexible for applications that have special security and performance requirements: It lacks support for custom handshake or key exchange mechanisms. For example, HTTPS does not require clients to authenticate themselves. Another example is that any minor digital certificate-formatting problem causes the entire HTTPS handshake to fail. The developer has no way to specify what errors can be tolerated.
Other connection channel-based security technologies, such as Virtual Private Network (VPN), have similar problems. For future mobile commerce applications, we must secure content rather than channels.
* Distributed access control
Mobile applications often interact with multiple backend servers, pull information from them as needed, and assemble personalized displays for users. Each information service provider might have its own user authentication and authorization protocols. It is a major inconvenience for mobile users to sign on to each backend server manually.
Resources
* Download the source code for the examples in this article
http://www.javaworld.com/javaworld/jw-12-2002/wireless/jw-1220-wireless.zip
* For more detailed discussions and complete source code analysis, preview Michael Yuan's upcoming book, Java Mobile Enterprise Application Development
http://www.enterprisej2me.com/books.php
* The Bouncy Castle project
http://www.bouncycastle.org/
* Phaos Technology Micro Security products
http://www.phaos.com/products/category/micro.html
* NTRU toolkits
http://www.ntru.com/products/toolkits.htm
* B3 Security
http://www3.sympatico.ca/batyr/
* You can download the iDEN J2ME SDK, including the cryptography API, from Motorola's iDEN phone developer Website
http://idenphones.motorola.com/iden/developer/developer_home.jsp
* To learn more about general security challenges and solutions for mobile Java applications, read Michael Yuan and Ju Long's article "Securing Wireless J2ME" (IBM developerWorks, June 2002)
http://www-106.ibm.com/developerworks/wireless/library/wi-secj2me.html
* RSA Security's Cryptography FAQ is a good introduction to modern cryptography solutions, including the Public Key Infrastructure
http://www.rsasecurity.com/rsalabs/faq/
* Search the Security section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-security-index.shtml
* For more articles on J2ME and wireless development, browse the Micro Java section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-micro-index.shtml
* More Wireless Java articles
http://www.javaworld.com/columns/jw-wireless-index.shtml
* Michael Yuan also authored the following JavaWorld articles
*
o "Build Database-Powered Mobile Applications on the Java Platform" (January 2002)
o "Track Wireless Sessions with J2ME/MIDP" (April 2002)
o "Java Tip 126Prepare Cross-Server Database Access Methods with JDBC" (April 2002)
* For more articles on SDKs, browse the Development Tools section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-tools-index.shtml
* Browse JavaWorld's Product Reviews index page
http://www.javaworld.com/news-reviews/jw-nr-product-reviews.shtml
* Chat about devices galore in JavaWorld's Device Programming discussion
http://forums.devworld.com/webx?230@@.ee6b808!skip=249
* Sign up for JavaWorld's free weekly Micro Java email newsletter
http://www.javaworld.com/subscribe
