aspose file tools*
The moose likes Java Micro Edition and the fly likes How to protect the .jar of my Midlet  with a OTA server Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Mobile » Java Micro Edition
Bookmark "How to protect the .jar of my Midlet  with a OTA server" Watch "How to protect the .jar of my Midlet  with a OTA server" New topic
Author

How to protect the .jar of my Midlet with a OTA server

Ould Nadif
Ranch Hand

Joined: Jan 21, 2004
Posts: 184
Hi all,

I created a OTA server to distribute my midlet:
Here a extrade :
<a href="MadMixer.jad">Download MadMixer</a><br/>

In the MadMixer.jad there is the path (absolute or relative) of MadMixer.jar(.jar of my midlet). Anyone using the browser (Internet Explorer or Nescape) can have my MadMixer.jar.

How to prevent anyone to download my .jar.

Thank you for your help.

OULD NADIF


We are ones that build the world, thus build it well.
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Originally posted by OULD NADIF:
How to prevent anyone to download my .jar.

Don't put the .jar file on a server...

Seriously, who do you want to give access to download the application?


Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
Punit Raizada
Ranch Hand

Joined: Mar 20, 2004
Posts: 156
Hi,

I dont know the best way for you to avoid the midlet being downloaded on the PC by a "UNAUTHORIZED" user but here is one implementation of the OTA

-Store all the jar and jads in a directory ( say "repos")
-When the user request's the download of a particular MIDlet suite.. post the name, user info etc etc to a page (say download)
- download will then copy the jad and jar of the requested MIDlet suite to another directory(say "content") and shoot back html to the cellphone with a link to download the app from the directory "content"
- Once the midlet is installed on the users phone the Install Notify page will delete the midlet suite from the content folder...

so if any one does download the HTML page ... they get the location of the jar in the content directory .. but the jar wouldnt be there ...

hope this helps ...


SCJP 1.4
Everything that can go wrong will go wrong -Murphy
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Punit's approach would work, but I would prefer using "virtual" download tokens instead of physically copying files around.

Something like:
1) Generate a unique download token (e.g. "5139454360523465023456234523") and store it into a database along with the file path to the associated .jar file and an expiration timestamp (5 minutes in the future should do)
2) Generate the HTML (shouldn't it be WML?) page with a link to http://www.myserver.com/downloadservlet?id=5139454360523465023456234523 instead of the actual .jar file
3) Have "downloadservlet" check that the download token is found from the database and hasn't expired yet, and to read the file from disk and write its contents out as the response
4) When (if) you get an Install-Notify from the terminal, mark the download token as consumed (not really necessary if you're ok with someone downloading the same content multiple times during the expiration period).
Punit Raizada
Ranch Hand

Joined: Mar 20, 2004
Posts: 156
Thats a nice way. ...and yup .. it can either be WML or HTML ..
[ June 30, 2004: Message edited by: Punit Raizada ]
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Actually, the solution is still missing a way to prevent someone from using a web browser to download the .jar file... The unique token should only be generated for requests that we know are coming from a legit user. One way would be to validate that the request is coming through an IP address we know belongs to a mobile operator's WAP gateway.
manoj pillai
Ranch Hand

Joined: Sep 16, 2002
Posts: 41
You could restrict the jar access based on the user-agent http header field. Not a 100% reliable solution as user-agent field could be set programatically (or using some request filters etc.) in the request but should be sufficeint to prevent most casual web users from downloading the jar.


SCJP,SCJD,SCEA,SCMAD,SCDJWS,SCJP5.0
Ould Nadif
Ranch Hand

Joined: Jan 21, 2004
Posts: 184
Thanks all for your help,

I have a good and bad new about to protect my .jar:

I start by the good new:
if I do un test on the HTTP_USER_AGENT, I can do the difference beetwen un WAP browser and PC Browser: So if my script detect that is not WAP browser then I do not display my .wml page then le path of my .jad doesn't appeared.

Now, The bad new :
Even, if I download my .jar from a WAP browser, when I installed my midlet, there is always a possibility to distrut my .jar from my device by bluetooth or other.

In these conditions, how protect my midlet.

OULD NADIF
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Originally posted by OULD NADIF:
Even, if I download my .jar from a WAP browser, when I installed my midlet, there is always a possibility to distrut my .jar from my device by bluetooth or other.

In these conditions, how protect my midlet.

Most devices don't let you transfer applications to other devices, I believe. (I may be blatantly wrong, of course)
Ould Nadif
Ranch Hand

Joined: Jan 21, 2004
Posts: 184
Thanks for your help,

Yes you are right.

But on then all On the serie 60 it is possible (Nokia (N-Gage, 3650) Siemens (SX1) etc.. : I did the test. I could send my midlet from my mobile to a another by bluetooh or mail.

I have to resolve the problem: I shall study it: find at least how to protect my algorithme.

OULD NADIF
Punit Raizada
Ranch Hand

Joined: Mar 20, 2004
Posts: 156
hmmm...

just wondering ... when u transfer a jar file from one phone to another ... does the Jad get transferred too ???

i think not .. but can u confirm OULD....


Thanks
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Originally posted by OULD NADIF:
But on then all On the serie 60 it is possible (Nokia (N-Gage, 3650) Siemens (SX1) etc.. : I did the test. I could send my midlet from my mobile to a another by bluetooh or mail.

Oh, ok then.
Sam Hendley
Greenhorn

Joined: May 27, 2004
Posts: 5
Any one who will invest enough effort to try to get the Jar onto their PC from their cell phone can just as easily send a bullshit HTTP request that apes what would come from a cell phone. i could post a python script that I put togther in a few minutes for www.trytohack.nl that could be modified to do this without any problems. Not that you shouldnt set this up to deter the casual theif but it is really not all that secure.
Anonymous
Ranch Hand

Joined: Nov 22, 2008
Posts: 18944
Hi

Try to use a obfuscator if you want to protect your algorithme, it will make it harder to reverse engineer your code.

It will also reduce the size of your .jar file.

BR Jan
James Reilly
wrangler
Ranch Hand

Joined: Oct 01, 2003
Posts: 30
I didn't see any mention of using e.g. HTTP Basic Authentication for the directory (and files) where the .jad and .jar are kept on the web server. This is normally very straightforward to configure on e.g. a per-user basis with Apache, Tomcat, etc. Depending on one's needs, that might give some minimal protection. Also the web server can be configured so that timestamped log files show who is accessing (or who attempt to access) a directory.

This ought to work with both HTML and WML browsers (at least all
such phone and PC browsers that I've ever tried). The ease of typing
in the username + password on a phone's browser might be an issue for some usernames or passwords esp. if they are long.

br,
j
[ July 02, 2004: Message edited by: James Reilly ]
Ould Nadif
Ranch Hand

Joined: Jan 21, 2004
Posts: 184
just wondering ... when u transfer a jar file from one phone to another ... does the Jad get transferred too ???:

YES, I could send both the .jar and the .jad separatedly from my mobile to another mobile or PC.

OULD NADIF
Ould Nadif
Ranch Hand

Joined: Jan 21, 2004
Posts: 184
Originally posted by Jan S�gaard:
Hi

Try to use a obfuscator if you want to protect your algorithme, it will make it harder to reverse engineer your code.

It will also reduce the size of your .jar file.

BR Jan


I thought about the use of obfuscator. I noticed, it reduce strongly my .jar too: It is a good thing.
But, both I use a extern API (kXML2.zip) to parse my XML documentand I use the obfuscator, my XML's parsing doesn't work.

OULD NADIF
Anonymous
Ranch Hand

Joined: Nov 22, 2008
Posts: 18944
Hi.

It is important to run the obfuscator before you preverify your code.

Here is a article about it, using ant. (I'am not the author of that article ;o) It explains how to unpack the jar file after running the obfuscator for running the preverification.

http://www.webpronews.com/it/applicationdevelopment/wpn-19-20030611J2MEUsingAntwithJ2ME.html

Hopes this helps.

Jan
Johann Evans
Ranch Hand

Joined: Nov 18, 2002
Posts: 47
I don't think there is any secure way to protect your IP - since byte code is completely reversible, even if obfuscated, and obfuscated byte code only needs a bit of work and things become clear again.

What I would however suggest is offloading your sensitive IP to a server (since you are making use of a networked device) and access this by means of service requests and result responses - if you can afford the network comms (which are usually very small) or if the security measure requires such an extent.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to protect the .jar of my Midlet with a OTA server
 
Similar Threads
Hello World MIDlet test
Real Time testing
Its about uniqueIDs again! Problems with downloading modified jar files
how to install a midlet
OTA download problem