6: Java Mobile Edition Security
Recognize ECC200 In None
Using Barcode Control SDK for Android Control to generate, create, read, scan barcode image in Android applications.
DataMatrix Creator In None
Using Barcode encoder for Android Control to generate, create ECC200 image in Android applications.
ECC200 Recognizer In None
Using Barcode scanner for Android Control to read, scan read, scan image in Android applications.
Draw Data Matrix In C#
Using Barcode creation for .NET Control to generate, create Data Matrix image in .NET framework applications.
Network Monitor displaying UDP and HTTP traffic
Data Matrix 2d Barcode Encoder In VS .NET
Using Barcode encoder for ASP.NET Control to generate, create ECC200 image in ASP.NET applications.
Data Matrix ECC200 Maker In .NET
Using Barcode printer for VS .NET Control to generate, create Data Matrix 2d barcode image in .NET applications.
It also does not provide a huge amount of detail After all, it was built for performance analysis with well-understood applications, not for hackers Follow these steps to capture data using the Profiler:
Generating Data Matrix In VB.NET
Using Barcode drawer for .NET framework Control to generate, create Data Matrix 2d barcode image in Visual Studio .NET applications.
Paint UCC.EAN - 128 In None
Using Barcode printer for Online Control to generate, create USS-128 image in Online applications.
1 Open the JME SDK and load your source project Make sure it compiles 2 Right-click on the emulator profile in the Device Manager pane and select
Draw Barcode In .NET Framework
Using Barcode generation for Reporting Service Control to generate, create bar code image in Reporting Service applications.
Code 128A Recognizer In .NET
Using Barcode reader for .NET Control to read, scan read, scan image in VS .NET applications.
Creating Bar Code In Java
Using Barcode printer for BIRT reports Control to generate, create bar code image in BIRT reports applications.
Barcode Maker In Java
Using Barcode generator for Android Control to generate, create bar code image in Android applications.
3 Choose Enable Profiler Record the Profiler filename listed in the properties
UCC-128 Maker In None
Using Barcode maker for Office Excel Control to generate, create UCC - 12 image in Microsoft Excel applications.
Barcode Maker In None
Using Barcode drawer for Font Control to generate, create bar code image in Font applications.
panel (the filename will have the extension prof)
Generating Barcode In None
Using Barcode maker for Font Control to generate, create barcode image in Font applications.
Paint DataMatrix In Java
Using Barcode creator for Android Control to generate, create ECC200 image in Android applications.
4 Start the project by clicking the Run arrow 5 Exercise the application The goal is to figure out which code blocks are
Scan Barcode In Java
Using Barcode decoder for Java Control to read, scan read, scan image in Java applications.
Draw Code-128 In Java
Using Barcode maker for BIRT Control to generate, create Code 128 Code Set B image in BIRT applications.
executed the most often and which system APIs are being called
EAN / UCC - 13 Drawer In Objective-C
Using Barcode printer for iPhone Control to generate, create EAN-13 Supplement 5 image in iPhone applications.
Paint Code 128B In Objective-C
Using Barcode drawer for iPad Control to generate, create USS Code 128 image in iPad applications.
6 Terminate the application and close the emulator 7 Open the Profiler log by clicking on Tools | Import JME SDK Snapshot
Mobile Application Security
Profiler view after running the NetworkDemo application
8 Browse to the stored prof file and click Okay 9 The result will appear similar to Figure 6-3 The call graph can be expanded by
clicking the plus arrow
All JME code is written in Java, and Java is a memory managed language that prevents buffer and integer overflows and direct manipulation of memory and the hardware The virtual machine makes this security magic possible by verifying every instruction before execution and ensuring that all application code handles memory and objects safely Not having to worry about memory-related security issues is a real boon to developers, but it doesn t mean that they are free and clear Application code can still use the network and local storage insecurely, and the virtual machine implementation itself might have problems that attackers could exploit to compromise devices For example, Adam Gowdiak reported avulnerability in the Kilobyte Virtual Machine s verifier that an application could use to escape the sandbox (http://secuniacom/advisories/12945/) The risk of a JVM error pales in comparison to the risk of writing every JME application in an unmanaged language such as C
6: Java Mobile Edition Security
The CLDC JSR specifies that JVMs implementing the CLDC configuration must only load and execute valid Java bytecode In addition, CLDC JVMs do not support all of Java s language features Specifically, the CLDC 11 JSR says that CLDC must ensure the following: Class files must be properly verified and the Java bytecode well formed All code branches must follow predictable paths and jump to controlled memory addresses Code verification ensures that the application is not able to execute illegal instructions Applications cannot load custom class loaders or classes of their choosing If attackers could load their own classes, they could pull in application code without the user s knowledge The API set exposed to applications is predefined Therefore, applications cannot use Java reflection to dynamically load classes or access private methods By forcing a predefined set, device manufacturers and carriers know which platform APIs are exposed and how the application will be able to access the hardware Device manufacturers and carriers can always add to the protected set if they want to expose device model-specific functionality (for example, the camera or a digital compass) Native functionality is prohibited Java native invocation (JNI) is a technology used to bridge between native code (such as C/C++) and managed Java code Native code executes outside of the JVM and cannot be monitored Therefore, JME applications must be prevented from using JNI and including native extension libraries Applications cannot extend classes in the java*, javaxmicroedition*, and other manufacturer-specific packages If malicious applications were allowed to overload sensitive system classes, they might be able to take advantage of polymorphism and force system APIs to execute attacker-supplied code when calling object methods All classes must come from the same JAR file This requirement prevents applications from loading and using classes from other applications that may be installed on a device This restriction may change when libraries are introduced as part of MIDP 30 These restrictions aim to stop applications from running Java code that cannot be managed or accesses the hardware in unexpected way MIDP relies on this infrastructure to build a higher level application sandbox, which will be discussed