Java 2 ME - a playground for malicious code? presented at Virus Bulletin 2002

by Markus Schmall (T-mobile),

Tags: Security


Summary : Java itself has been known for several years. Within the last years
this programming language gained enormous importance and, as a logical
consequence, the first pure Java 2 ME (mobile edition) enabled mobile
phones were introduced in 2001. Is security an issue for mobile

Obviously, yes ...

In 2001 we heard of problems related to i-mode phones (NTT Docomo) and
malicious emails. The presentation takes as first step a brief look at
the overall architecture of Java 2 ME, the limitation in comparison to
the Java 2 Standard Edition and the built-in security features.

In the following possible attack scenarios, possibilities for
malicious code and possibilities how to test for common attacks will
be discussed.

As a practical example, the presentation shows the propriatary Java
packages shipped with Siemens SL42i/45i mobile phones and discusses
security related features and dedicated attack scenarios.

Additionally, the presentation shows results of a security orientated
check of Java 2 ME API calls from the Siemens Java package.
Furthermore, the presentation discusses the need for digital rights
management within Java 2 ME applications, which e.g. can be used to
sign applications as trusted.