views:

1680

answers:

3

I've just discovered J2ME and I love the possibilities that it presents. I'm currently working on a simple application and I'd like to maybe release it as an open-source project sometime in the future.

As part of my research into J2ME and mobile devices, I looked into applet signing. It seems that people who want to create applets for free are caught between and rock and an awful shite-place. Applet signing is extremely expensive and extremely convoluted - and the expense can't be justified when coding for free.

There are a huge number of J2ME compatible devices out there - I think it would be a shame to have to ignore them, and just wait patiently for the next wave (e.g. Android).

I was wondering if other people have any ideas about ways to approach this problem?

UPDATE: I found this blog article which summarises the problem for those interested... http://javablog.co.uk/2007/08/09/how-midlet-signing-is-killing-j2me/

I thought about setting up a non-profit umbrella organisation for open-source J2ME developers who want a VeriSign certificate (as a certificate can sign code an unlimited amount of times). I would aim to raise the $500 and then enable group members to share the purchased certificate. Had a quick chat to a VeriSign rep and they thought the idea could work (as long as the organisation was registered as a legal entity).

However, since handset manufacturers now seem to be moving to support only UTI root certificates (which you can only get through the 'Java verified' programme) - this might not be as useful as I thought it could be... if anyone has any ideas would be great to hear them.

+1  A: 
  • You can create a signing certificate that you self-sign. Your users have to be willing to trust you.
  • You can instruct your users how to create a cert and self-sign with it. Then the users have to be able to trust themselves.
  • There are more or less open CAs; you have to be willing to trust them and convince your users to trust them.

The Java Tutorial has a section on signed applets that will lead you through the steps.

Charlie Martin
Thanks, but Will this work for mobile devices? For instance, I have a Nokia 6300 which is authorised to only accept certificates from a handful of authorities which have been preselected by nokia. Motorola and SE have their own list.
codeinthehole
I don't know offhand. If you can't tell it to accept other certs, then you're probably screwed.
Charlie Martin
I think it's a case of pay through the nose or feck-off :( I'll just have to get my users to say yes to the auth. requests and try to limit access to secure-api's (or plan access intelligently).
codeinthehole
Nokia phones now only accept built-in certificates. You can't install your own, not even for testing. This means that even a developer can't do away with the security warnings. That is what I call developer - unfriendly!
kgiannakakis
A: 

I'm a J2ME application developer and i totally agree your post. The costs for signing a MIDlet are simply unaffordable for open source initiatives and unless your're developing simple games, you'll soon or later end up in using restricted APIs to access sockets or Location API just to name two of them. This is very frustrating and if you consider that the permission policies are not always threated the same on various devices, the thing get worst: on some mobile phone you can tell the OS to trust the entyre MIDlet and never bother you at all, other continue to ask you permission every time you call for a restricted method. It's tragic! I rellay appreciate your proposal and i think it would be a great achievement for JavaME developers.

Stefano Driussi
+2  A: 

I am afraid that you are fighting a battle that you can't win. Using the restricted APIs is getting harder and harder and this is not accidental. As you've read in the blog entry you've mentioned the biggest problem is the network operators. Even if you buy a certificate from Verisign or Thawte (which is by the way cheaper), your application won't run in network operators branded phones, since these have their own CA rules.

At first it was possible for a developer to install his/her own certificate, but even this is now not possible. This strict rule is mandated by the phone manufacturers (Nokia for example) and applies to all phones (even no branded ones). I believe that this too is not accidental and is mainly because of pressure put to device manufacturers by the network operators.

Finally, although MIDP 3.0 has been announced for years, nothing has really come out of it. It seems that even Sun believe that J2ME is only for games.

All of these have been extensively discussed in J2ME forums for a long time. The general consensus is that the network operators do not want to have every phone available in the market operate as a smart phone and be able to run a third-party application. Then it will be very easy for everyone to use a cheaper, web-based alternative instead of SMS messaging for a example. This may sound as a conspiracy theory, if you are new in the J2ME world, but have in mind that network operators sell phones with their own firmware that lock even basic functionalities (e.g. transferring photos via Bluetooth or using MP3s as ringtones) to force the owner to use paid services!

I don't know if this is going to change now that smart phones (iPhone, Android, Windows Mobile) are gaining momentum. Have in mind that restrictions apply also for these platforms (notably Symbian, which is also very unfriendly for open source).

kgiannakakis
That does make sense. I remember network operators spent a huge amount of money on 3G licenses in the UK - I guess they need to get a return on their investment... and cheap sms / voip and communications technologies are limiting this potential. Still - they must have seen this day coming...
codeinthehole
I think it has more to do with operators being greedy and not their investment in 3G. It is amazing how much operators gain from SMSs, which have no guaranteed delivery and are sent when the network is idle. Anyway, I believe operators are on the way out. Wi-Fi, WiMax or something else is coming.
kgiannakakis