Results 1 to 3 of 3

Cingular Java security policy cripples applications

I've complained about this in my various threads on the LG CU500, but I thought I'd share some excerpts from a ...

  1. #1
    Battery mgmt is my life SteveW's Avatar
    Join Date
    Oct 2002
    Location
    Cambridge, MA
    Posts
    2,095
    Phone(s)
    T-Mo G2, LG CU500
    Prev: T-Mo G1, BB 8830
    BB 8703e, Nokia 6200
    Siem. S46, Erics. R280LX
    Provider(s)
    T-Mobile
    Devices
    Various once-cherished Palm OS: IIIxe, Vx, T2
    Likes
    56

    Default Cingular Java security policy cripples applications

    I've complained about this in my various threads on the LG CU500, but I thought I'd share some excerpts from a discussion on the Cingular Developer's forum.

    The full thread is here.

    Bottom line: Google Maps, Opera Mini and similar net-based applications don't work properly on at least some Cingular phones due to Cingular security settings. Cingular employees will not come straight out and admit this, but it is pretty clear given their responses and the documentation they provide.

    Here's my first message and the Cingular response:

    -----Original Message-----
    From: SteveW
    Sent: Friday, September 22, 2006 6:31 PM
    To: (*)Developer Program
    Subject: Data Developer Site - Contact Us

    TOPIC: other
    QUESTION: I am a Java developer and I am having trouble running Java
    applications on the LG CU500. Google Maps is a good example. It asks
    for permission every time it access the network, which of course makes
    it unusable.

    I have had extensive contacts with LG Support about this. They are
    adamant that this is not a handset issue. It is a Java configuration
    decision by Cingular, based on your Java security policy. Cingular has
    mandated that "someone who using a network by an unsigned MIDlet should
    be shown the warning popup every time" according to LG. LG says that
    they are contractually prevented from modifying the Java configuration
    file.

    However, posters on Howardforums.com claim to have worked around this.
    It involves using an internal Qualcomm application (QPST) and editing
    the LGAPP\Media\Java\ams\permission file.

    I want to know if Cingular considers this a bug, or if you have
    intentionally crippled applications that use unsigned MIDlets.


    From: "(*)Developer Program"
    To: SteveW
    Subject: FW: Data Developer Site - Contact Us
    Date: Friday, October 06, 2006 7:14:35 PM

    Thank you for contacting devCentral....

    You need to purchase as Verisign or Thawte code signing certificate as
    detailed on our signing page, or go to Java Verified. Unsigned means
    Untrusted, and this application levelshould never be considered for
    production and only for demo or development purposes.

    Cingular does not support altering the Security policies on the device.

    The devCentral Team

    .
    "Oh I used to be disgusted, now I try to be amused."
    -- Elvis Costello, Red Shoes

  2. #2
    Battery mgmt is my life
    Threadstarter
    SteveW's Avatar
    Join Date
    Oct 2002
    Location
    Cambridge, MA
    Posts
    2,095
    Phone(s)
    T-Mo G2, LG CU500
    Prev: T-Mo G1, BB 8830
    BB 8703e, Nokia 6200
    Siem. S46, Erics. R280LX
    Provider(s)
    T-Mobile
    Devices
    Various once-cherished Palm OS: IIIxe, Vx, T2
    Likes
    56

    Default Re: Cingular Java security policy cripples applications

    Here's my subsequent reply and another response from Cingular. Note how I impersonate a Java developer. I thought this might get a more thoughtful reply.


    From: SteveW
    To: "(*)Developer Program"
    Subject: Java security settings on LG CU500
    Date: Friday, October 06, 2006 7:40:45 PM

    Thank you for your response, however this is not what I was asking. I
    understand that new applications I am building, need to have a signing
    certificate. I am asking about common Web-based applications like Google
    Maps and Opera Mini.

    If applications like these don't function, users will return the phone.
    I don't want to spend time developing for a phone that no one will use.

    I am asking whether
    - The behavior I described is caused by Java security settings
    - These Java security settings were created by Cingular, not LG
    - This is intentional and dictated by Cingular policy, not a bug

    It sounds like you are saying that the answers to all of the above are "Yes".
    Please clarify.

    Thank you,
    Steve

    ----------------------------

    premz
    Moderator


    Posts: 36
    Registered: 08-16-2005
    Reply 7 of 11

    The majority of these issues are detailed within our signing section on DevCentral.

    https://developer.cingular.com/devel.../signing.jhtml

    We use the standard domains as detailed with Java ME midp 2.0 specifications for setting our Java Security Policies. Because mobile devices face many of the same issues as desktop PCs, namely those that would exploit Cingular customer data and accessibility, Cingular has needed to adopt a security policy to deal with these issues. Gone are the days of the good citizen developer who is creating applications merely to fulfil the needs of user community. Because entities such as spammers have chosen to spoil the past freedom of development to attack, exploit, or impede the normal usage of Cingular customers, Cingular has to take these measures. This protection is meant to ensure that emergency services such as e-911 or Amber Alerts will function in the extreme situations it is warranted, and protect our data users from both network based attacks, and personal privacy attacks.

    To be honest with you, I can understand the problems with having to sign every application. That is why Cingular supports such groups as Java Verified and pushes OEMs to support Trusted Third Party Certficates that are widely available from both Verisign and Thawte. These certificates do allow the majority of applications these days to prompt one time per session for minor networking and messaging, allowing a fully featured application to be produced for most devices.

    Cingular also supports both Beyond Media Net program for vending consumer applications and Enterprise Program to test and certify applications for our business community http://developer.cingular.com/developer/testing/


    .
    "Oh I used to be disgusted, now I try to be amused."
    -- Elvis Costello, Red Shoes

  3. #3
    Battery mgmt is my life
    Threadstarter
    SteveW's Avatar
    Join Date
    Oct 2002
    Location
    Cambridge, MA
    Posts
    2,095
    Phone(s)
    T-Mo G2, LG CU500
    Prev: T-Mo G1, BB 8830
    BB 8703e, Nokia 6200
    Siem. S46, Erics. R280LX
    Provider(s)
    T-Mobile
    Devices
    Various once-cherished Palm OS: IIIxe, Vx, T2
    Likes
    56

    Default Re: Cingular Java security policy cripples applications

    I wasn't getting a straight answer so I tried one more time. This time another user, not a Cingular employee, answered.

    stevew
    Contributor


    Posts: 10
    Registered: 09-22-2006
    Reply 8 of 11

    premz wrote:

    The majority of these issues are detailed within our signing section on DevCentral.

    https://developer.cingular.com/devel.../signing.jhtml


    We use the standard domains as detailed with Java ME midp 2.0 specifications for setting our Java Security Policies....

    Sorry, but this is an inadequate response from Cingular. It does not answer the questions I asked above. I described the situation where I am using Google Maps on my Cingular-branded LG CU500. The application presents a dialog that says:

    Data Network (HTTP(S),TCP)
    o Yes, Always Ask
    o No, Never Grant

    Questions:
    - Is this behavior caused by Java security settings?
    - Were these Java security settings created by Cingular, and not LG?
    - Is this intentional and dictated by Cingular policy, not a bug?

    From the article you referenced, I believe the answers to the above are yes, but I want someone from Cingular to say this directly.

    Regardless of Cingular policy, important applications like Google Maps and Opera Mini are currently unusable on Cingular devices due to this dialog. Users cannot fix this. However, on LG phones this can be fixed via a modification to the file LGAPP\Media\Java\ams\permission

    Final question: Will Cingular provide a supported permission file that allows Google Maps and Opera Mini to run without modification?

    Thank you,
    SteveW

    -----------------------------

    kevin562
    Contributor


    Posts: 3
    Registered: 11-08-2006
    Reply 9 of 11

    I do not work for Cingular nor do I have any affiliation with them, but here is your answer.

    The Java VM for mobile phone was specifically designed to run in a "sandbox". Meaning by default no application is allowed to access anything outside of the Java API. Obviously this limits some applications usefulness so there are APIs that allow developer to leave the "sandbox" such as network access. However since this is potentially dangerous, Cingular makes the developer sign applications before being allowed to leave the "sandbox". This is Cingular's acknowledgement that the application is "safe" for the user, for the phone, for everyone. You may think its stupid, but it is not up to the user to decide what they trust, because you have to assume that the user doesn't know better. So in order for Google maps to run properly, Google must sign their application. There is nothing you, the user, can do. So you should complain to Google. To answer you questions.

    "Is this behavior caused by Java security settings?"
    Yes

    "Were these Java security settings created by Cingular, and not LG?"
    Yes.

    "Is this intentional and dictated by Cingular policy, not a bug?"
    This in not a bug it is very intentional.

    "Will Cingular provide a supported permission file that allows Google Maps and Opera Mini to run without modification?"
    No, that is up to Google its their application.

    -------------------------------------

    stevew
    Contributor


    Posts: 10
    Registered: 09-22-2006
    Reply 10 of 11

    kevin562 wrote:
    I do not work for Cingular nor do I have any affiliation with them, but here is your answer.

    The Java VM for mobile phone was specifically designed to run in a "sandbox". Meaning by default no application is allowed to access anything outside of the Java API. Obviously this limits some applications usefulness so there are APIs that allow developer to leave the "sandbox" such as network access. However since this is potentially dangerous, Cingular makes the developer sign applications before being allowed to leave the "sandbox". This is Cingular's acknowledgement that the application is "safe" for the user, for the phone, for everyone. You may think its stupid, but it is not up to the user to decide what they trust, because you have to assume that the user doesn't know better. So in order for Google maps to run properly, Google must sign their application. There is nothing you, the user, can do.

    Thank you for your response, that's very helpful. However, as I understand it, your last sentence above is not technically true. Posters on howardforums have detailed how to edit the Java permissions file on the phone and have claimed success. I have not tried this myself.

    kevin562 wrote:
    So you should complain to Google.

    and what if Google does not care to be registered in Cingular's application approval process? Plenty of other services/devices do not have this restriction. I (and more importantly my users) could just choose another wireless carrier.


    kevin562 wrote:
    To answer you questions.

    "Is this behavior caused by Java security settings?"
    Yes

    "Were these Java security settings created by Cingular, and not LG?"
    Yes.

    "Is this intentional and dictated by Cingular policy, not a bug?"
    This in not a bug it is very intentional.

    "Will Cingular provide a supported permission file that allows Google Maps and Opera Mini to run without modification?"
    No, that is up to Google its their application.

    Again thank you for your response. You sound like you know what you are talking about. However, I had already guessed as much, and part of my point is that I want someone from Cingular to confirm this. One reason for my insistence is to try to cut through the continual finger pointing between Cingular and phone manufacturers regarding who is responsible for various kinds of phone issues. Most "technical support" people you talk to at Cingular or LG don't even know what a JVM is, much less how company policy is implemented through technology.

    It is very disappointing that on the Cingular-sponsored board set up for developers to get answers, no Cingular employee will comment on this matter.


    SW
    "Oh I used to be disgusted, now I try to be amused."
    -- Elvis Costello, Red Shoes

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. RAZR - How to copy java applications?
    By R-U-Q-R-U in forum MOTOROLA
    Replies: 6
    Last Post: 08-08-2007, 1:53 PM
  2. SE T637 :Need help accessing J2ME online applications...Cingular Blue
    By cheviot in forum GENERAL Wireless Discussion
    Replies: 0
    Last Post: 11-08-2005, 6:59 PM
  3. Distributing java applications
    By amonroy in forum GENERAL Wireless Discussion
    Replies: 0
    Last Post: 09-26-2005, 11:51 AM
  4. Replies: 3
    Last Post: 06-18-2003, 12:00 AM
  5. Nokia Java Applications.
    By Joey684 in forum NOKIA
    Replies: 1
    Last Post: 02-25-2003, 6:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

About Us | Advertising | Privacy Statement | Legal | Press | Feedback/Contact


Forum feeds:         Add to Google Reader or Homepage

Copyright 1997-2014 Wireless Advisor, LLC. All rights reserved. All registered and unregistered trademarks are the property of their respective holders.
WirelessAdvisor.com is not associated by ownership or membership with any cellular, PCS or wireless service provider companies and is not meant to be an endorsement of any company or service. Some links on these pages may be paid advertising or paid affiliate programs.