• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to protect the .jar of my Midlet with a OTA server

 
Ould Nadif
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I created a OTA server to distribute my midlet:
Here a extrade :
<a href="MadMixer.jad">Download MadMixer</a><br/>

In the MadMixer.jad there is the path (absolute or relative) of MadMixer.jar(.jar of my midlet). Anyone using the browser (Internet Explorer or Nescape) can have my MadMixer.jar.

How to prevent anyone to download my .jar.

Thank you for your help.

OULD NADIF
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by OULD NADIF:
How to prevent anyone to download my .jar.

Don't put the .jar file on a server...

Seriously, who do you want to give access to download the application?
 
Punit Raizada
Ranch Hand
Posts: 156
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I dont know the best way for you to avoid the midlet being downloaded on the PC by a "UNAUTHORIZED" user but here is one implementation of the OTA

-Store all the jar and jads in a directory ( say "repos")
-When the user request's the download of a particular MIDlet suite.. post the name, user info etc etc to a page (say download)
- download will then copy the jad and jar of the requested MIDlet suite to another directory(say "content") and shoot back html to the cellphone with a link to download the app from the directory "content"
- Once the midlet is installed on the users phone the Install Notify page will delete the midlet suite from the content folder...

so if any one does download the HTML page ... they get the location of the jar in the content directory .. but the jar wouldnt be there ...

hope this helps ...
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Punit's approach would work, but I would prefer using "virtual" download tokens instead of physically copying files around.

Something like:
1) Generate a unique download token (e.g. "5139454360523465023456234523") and store it into a database along with the file path to the associated .jar file and an expiration timestamp (5 minutes in the future should do)
2) Generate the HTML (shouldn't it be WML?) page with a link to http://www.myserver.com/downloadservlet?id=5139454360523465023456234523 instead of the actual .jar file
3) Have "downloadservlet" check that the download token is found from the database and hasn't expired yet, and to read the file from disk and write its contents out as the response
4) When (if) you get an Install-Notify from the terminal, mark the download token as consumed (not really necessary if you're ok with someone downloading the same content multiple times during the expiration period).
 
Punit Raizada
Ranch Hand
Posts: 156
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thats a nice way. ...and yup .. it can either be WML or HTML ..
[ June 30, 2004: Message edited by: Punit Raizada ]
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, the solution is still missing a way to prevent someone from using a web browser to download the .jar file... The unique token should only be generated for requests that we know are coming from a legit user. One way would be to validate that the request is coming through an IP address we know belongs to a mobile operator's WAP gateway.
 
manoj pillai
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You could restrict the jar access based on the user-agent http header field. Not a 100% reliable solution as user-agent field could be set programatically (or using some request filters etc.) in the request but should be sufficeint to prevent most casual web users from downloading the jar.
 
Ould Nadif
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks all for your help,

I have a good and bad new about to protect my .jar:

I start by the good new:
if I do un test on the HTTP_USER_AGENT, I can do the difference beetwen un WAP browser and PC Browser: So if my script detect that is not WAP browser then I do not display my .wml page then le path of my .jad doesn't appeared.

Now, The bad new :
Even, if I download my .jar from a WAP browser, when I installed my midlet, there is always a possibility to distrut my .jar from my device by bluetooth or other.

In these conditions, how protect my midlet.

OULD NADIF
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by OULD NADIF:
Even, if I download my .jar from a WAP browser, when I installed my midlet, there is always a possibility to distrut my .jar from my device by bluetooth or other.

In these conditions, how protect my midlet.

Most devices don't let you transfer applications to other devices, I believe. (I may be blatantly wrong, of course)
 
Ould Nadif
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your help,

Yes you are right.

But on then all On the serie 60 it is possible (Nokia (N-Gage, 3650) Siemens (SX1) etc.. : I did the test. I could send my midlet from my mobile to a another by bluetooh or mail.

I have to resolve the problem: I shall study it: find at least how to protect my algorithme.

OULD NADIF
 
Punit Raizada
Ranch Hand
Posts: 156
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hmmm...

just wondering ... when u transfer a jar file from one phone to another ... does the Jad get transferred too ???

i think not .. but can u confirm OULD....


Thanks
 
Lasse Koskela
author
Sheriff
Posts: 11962
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by OULD NADIF:
But on then all On the serie 60 it is possible (Nokia (N-Gage, 3650) Siemens (SX1) etc.. : I did the test. I could send my midlet from my mobile to a another by bluetooh or mail.

Oh, ok then.
 
Sam Hendley
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Any one who will invest enough effort to try to get the Jar onto their PC from their cell phone can just as easily send a bullshit HTTP request that apes what would come from a cell phone. i could post a python script that I put togther in a few minutes for www.trytohack.nl that could be modified to do this without any problems. Not that you shouldnt set this up to deter the casual theif but it is really not all that secure.
 
Anonymous
Ranch Hand
Posts: 18944
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

Try to use a obfuscator if you want to protect your algorithme, it will make it harder to reverse engineer your code.

It will also reduce the size of your .jar file.

BR Jan
 
James Reilly
wrangler
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I didn't see any mention of using e.g. HTTP Basic Authentication for the directory (and files) where the .jad and .jar are kept on the web server. This is normally very straightforward to configure on e.g. a per-user basis with Apache, Tomcat, etc. Depending on one's needs, that might give some minimal protection. Also the web server can be configured so that timestamped log files show who is accessing (or who attempt to access) a directory.

This ought to work with both HTML and WML browsers (at least all
such phone and PC browsers that I've ever tried). The ease of typing
in the username + password on a phone's browser might be an issue for some usernames or passwords esp. if they are long.

br,
j
[ July 02, 2004: Message edited by: James Reilly ]
 
Ould Nadif
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
just wondering ... when u transfer a jar file from one phone to another ... does the Jad get transferred too ???:

YES, I could send both the .jar and the .jad separatedly from my mobile to another mobile or PC.

OULD NADIF
 
Ould Nadif
Ranch Hand
Posts: 184
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jan S�gaard:
Hi

Try to use a obfuscator if you want to protect your algorithme, it will make it harder to reverse engineer your code.

It will also reduce the size of your .jar file.

BR Jan


I thought about the use of obfuscator. I noticed, it reduce strongly my .jar too: It is a good thing.
But, both I use a extern API (kXML2.zip) to parse my XML documentand I use the obfuscator, my XML's parsing doesn't work.

OULD NADIF
 
Anonymous
Ranch Hand
Posts: 18944
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.

It is important to run the obfuscator before you preverify your code.

Here is a article about it, using ant. (I'am not the author of that article ;o) It explains how to unpack the jar file after running the obfuscator for running the preverification.

http://www.webpronews.com/it/applicationdevelopment/wpn-19-20030611J2MEUsingAntwithJ2ME.html

Hopes this helps.

Jan
 
Johann Evans
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't think there is any secure way to protect your IP - since byte code is completely reversible, even if obfuscated, and obfuscated byte code only needs a bit of work and things become clear again.

What I would however suggest is offloading your sensitive IP to a server (since you are making use of a networked device) and access this by means of service requests and result responses - if you can afford the network comms (which are usually very small) or if the security measure requires such an extent.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic