Information and Communication Technologies for Development

The Free Press J2ME app I'm writing accesses two resources of the phone that require heightened security permissions: the camera, and HTTP connections. MIDP 2.0 has a security architecture which vaguely describes what implementors of MIDP (that is, each phone manufacturer) must do to fulfill the architecture. The basic idea is that the phone should prompt the user before allowing an application to access things that might be security risks, like photos that might include sensitive information, or data connections that might cost the user money.

But how does this prompting work? Is the user prompted once per session, once per application usage, once per access of the secure resource? These decisions are left to the phone manufacturer. The specification is "deliberately vague", according to Jonathan Knudsen, author of the previously linked article, as well as several books on J2ME. For example, in the context of the Nokia N82, the user is prompted for every snapshot taken by the camera, but is only prompted for the first HTTP connection in a session. I guess the assumption the Nokia designers made was that one will have a tendency to require many HTTP connections in a session, but only occasionally snap a picture. By contrast, the WTK emulator only prompts once per session for the camera.

But what about applications that need to access secure features frequently? For example, TrekBuddy, a GPS logging application, requires frequent access to the filesystem and GPS functions of the phones on which it runs, and would be unreasonable. If the phone designers chose to make each of these accesses prompt the user, it would be "very very very uncomfortable and may piss you off to death"[1]. The MIDP 2.0 specification includes a way for permissions to become "sticky", so that they are remembered across sessions. But in order for this capability to be turned on, the application must be signed.

Here is an excellent and thorough article that describes the process of signing, as well as the numerous problems it creates. In short, like so many other features of J2ME (including the whole MultiMedia API, any sort of filesystem access, and other implementational details), signing is device-specific. Some devices ship with some code-signing certificate authorities, some devices ship with others, some allow you to add additional certificates, some don't. So if you wish your signed application to run on many different devices, you must sign it with enough separate authorities to cover each device. Each signing costs something on the order of $200 per year. This is an unfortunately high and potentially blocking cost.

So for the context of the FreePress application, we will not be signing the MIDlet - it is not worth the cost at this stage in development. This means that users will just have to click through the permission box for every photo and upload, which fortunately is only about as onerous as using Vista.