1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cingular Java security policy cripples applications

Discussion in 'AT&T Wireless Forum' started by SteveW, Nov 9, 2006.

  1. SteveW

    SteveW Battery mgmt is my life Senior Member

    Joined:
    Oct 27, 2002
    Messages:
    2,095
    Likes Received:
    53
    Location:
    Cambridge, MA
    My Phone:
    T-Mo G2, LG CU500
    Wireless Provider(s):
    T-Mobile
    I've complained about this in my various threads on the LG CU500, but I thought I'd share some excerpts from a discussion on the Cingular Developer's forum.

    The full thread is here.

    Bottom line: Google Maps, Opera Mini and similar net-based applications don't work properly on at least some Cingular phones due to Cingular security settings. Cingular employees will not come straight out and admit this, but it is pretty clear given their responses and the documentation they provide.

    Here's my first message and the Cingular response:

    -----Original Message-----
    From: SteveW
    Sent: Friday, September 22, 2006 6:31 PM
    To: (*)Developer Program
    Subject: Data Developer Site - Contact Us

    TOPIC: other
    QUESTION: I am a Java developer and I am having trouble running Java
    applications on the LG CU500. Google Maps is a good example. It asks
    for permission every time it access the network, which of course makes
    it unusable.

    I have had extensive contacts with LG Support about this. They are
    adamant that this is not a handset issue. It is a Java configuration
    decision by Cingular, based on your Java security policy. Cingular has
    mandated that "someone who using a network by an unsigned MIDlet should
    be shown the warning popup every time" according to LG. LG says that
    they are contractually prevented from modifying the Java configuration
    file.

    However, posters on Howardforums.com claim to have worked around this.
    It involves using an internal Qualcomm application (QPST) and editing
    the LGAPP\Media\Java\ams\permission file.

    I want to know if Cingular considers this a bug, or if you have
    intentionally crippled applications that use unsigned MIDlets.


    From: "(*)Developer Program"
    To: SteveW
    Subject: FW: Data Developer Site - Contact Us
    Date: Friday, October 06, 2006 7:14:35 PM

    Thank you for contacting devCentral....

    You need to purchase as Verisign or Thawte code signing certificate as
    detailed on our signing page, or go to Java Verified. Unsigned means
    Untrusted, and this application levelshould never be considered for
    production and only for demo or development purposes.

    Cingular does not support altering the Security policies on the device.

    The devCentral Team

    .
     
  2. SteveW

    SteveW Battery mgmt is my life Senior Member

    Joined:
    Oct 27, 2002
    Messages:
    2,095
    Likes Received:
    53
    Location:
    Cambridge, MA
    My Phone:
    T-Mo G2, LG CU500
    Wireless Provider(s):
    T-Mobile
    Here's my subsequent reply and another response from Cingular. Note how I impersonate a Java developer. I thought this might get a more thoughtful reply. :rolleyes:


    From: SteveW
    To: "(*)Developer Program"
    Subject: Java security settings on LG CU500
    Date: Friday, October 06, 2006 7:40:45 PM

    Thank you for your response, however this is not what I was asking. I
    understand that new applications I am building, need to have a signing
    certificate. I am asking about common Web-based applications like Google
    Maps and Opera Mini.

    If applications like these don't function, users will return the phone.
    I don't want to spend time developing for a phone that no one will use.

    I am asking whether
    - The behavior I described is caused by Java security settings
    - These Java security settings were created by Cingular, not LG
    - This is intentional and dictated by Cingular policy, not a bug

    It sounds like you are saying that the answers to all of the above are "Yes".
    Please clarify.

    Thank you,
    Steve

    ----------------------------

    premz
    Moderator


    Posts: 36
    Registered: 08-16-2005
    Reply 7 of 11

    The majority of these issues are detailed within our signing section on DevCentral.

    https://developer.cingular.com/developer/technologies/java/signing.jhtml

    We use the standard domains as detailed with Java ME midp 2.0 specifications for setting our Java Security Policies. Because mobile devices face many of the same issues as desktop PCs, namely those that would exploit Cingular customer data and accessibility, Cingular has needed to adopt a security policy to deal with these issues. Gone are the days of the good citizen developer who is creating applications merely to fulfil the needs of user community. Because entities such as spammers have chosen to spoil the past freedom of development to attack, exploit, or impede the normal usage of Cingular customers, Cingular has to take these measures. This protection is meant to ensure that emergency services such as e-911 or Amber Alerts will function in the extreme situations it is warranted, and protect our data users from both network based attacks, and personal privacy attacks.

    To be honest with you, I can understand the problems with having to sign every application. That is why Cingular supports such groups as Java Verified and pushes OEMs to support Trusted Third Party Certficates that are widely available from both Verisign and Thawte. These certificates do allow the majority of applications these days to prompt one time per session for minor networking and messaging, allowing a fully featured application to be produced for most devices.

    Cingular also supports both Beyond Media Net program for vending consumer applications and Enterprise Program to test and certify applications for our business community http://developer.cingular.com/developer/testing/


    .
     
  3. SteveW

    SteveW Battery mgmt is my life Senior Member

    Joined:
    Oct 27, 2002
    Messages:
    2,095
    Likes Received:
    53
    Location:
    Cambridge, MA
    My Phone:
    T-Mo G2, LG CU500
    Wireless Provider(s):
    T-Mobile
    I wasn't getting a straight answer so I tried one more time. This time another user, not a Cingular employee, answered.

    stevew
    Contributor


    Posts: 10
    Registered: 09-22-2006
    Reply 8 of 11

    premz wrote:


    Sorry, but this is an inadequate response from Cingular. It does not answer the questions I asked above. I described the situation where I am using Google Maps on my Cingular-branded LG CU500. The application presents a dialog that says:

    Data Network (HTTP(S),TCP)
    o Yes, Always Ask
    o No, Never Grant

    Questions:
    - Is this behavior caused by Java security settings?
    - Were these Java security settings created by Cingular, and not LG?
    - Is this intentional and dictated by Cingular policy, not a bug?

    From the article you referenced, I believe the answers to the above are yes, but I want someone from Cingular to say this directly.

    Regardless of Cingular policy, important applications like Google Maps and Opera Mini are currently unusable on Cingular devices due to this dialog. Users cannot fix this. However, on LG phones this can be fixed via a modification to the file LGAPP\Media\Java\ams\permission

    Final question: Will Cingular provide a supported permission file that allows Google Maps and Opera Mini to run without modification?

    Thank you,
    SteveW

    -----------------------------

    kevin562
    Contributor


    Posts: 3
    Registered: 11-08-2006
    Reply 9 of 11

    I do not work for Cingular nor do I have any affiliation with them, but here is your answer.

    The Java VM for mobile phone was specifically designed to run in a "sandbox". Meaning by default no application is allowed to access anything outside of the Java API. Obviously this limits some applications usefulness so there are APIs that allow developer to leave the "sandbox" such as network access. However since this is potentially dangerous, Cingular makes the developer sign applications before being allowed to leave the "sandbox". This is Cingular's acknowledgement that the application is "safe" for the user, for the phone, for everyone. You may think its stupid, but it is not up to the user to decide what they trust, because you have to assume that the user doesn't know better. So in order for Google maps to run properly, Google must sign their application. There is nothing you, the user, can do. So you should complain to Google. To answer you questions.

    "Is this behavior caused by Java security settings?"
    Yes

    "Were these Java security settings created by Cingular, and not LG?"
    Yes.

    "Is this intentional and dictated by Cingular policy, not a bug?"
    This in not a bug it is very intentional.

    "Will Cingular provide a supported permission file that allows Google Maps and Opera Mini to run without modification?"
    No, that is up to Google its their application.

    -------------------------------------

    stevew
    Contributor


    Posts: 10
    Registered: 09-22-2006
    Reply 10 of 11


    Thank you for your response, that's very helpful. However, as I understand it, your last sentence above is not technically true. Posters on howardforums have detailed how to edit the Java permissions file on the phone and have claimed success. I have not tried this myself.


    and what if Google does not care to be registered in Cingular's application approval process? Plenty of other services/devices do not have this restriction. I (and more importantly my users) could just choose another wireless carrier.



    Again thank you for your response. You sound like you know what you are talking about. However, I had already guessed as much, and part of my point is that I want someone from Cingular to confirm this. One reason for my insistence is to try to cut through the continual finger pointing between Cingular and phone manufacturers regarding who is responsible for various kinds of phone issues. Most "technical support" people you talk to at Cingular or LG don't even know what a JVM is, much less how company policy is implemented through technology.

    It is very disappointing that on the Cingular-sponsored board set up for developers to get answers, no Cingular employee will comment on this matter.


    SW
     

Share This Page