Questions on MIDP Security

Hi all,
I've a few questions on MIDP security to seek help:
1) Suppose I have a midlet to store confidential details on the mobile phone, if it doesn't make any connections to the internet, would anyone be able to retrieve the information I'd on the RMS?
2) Again, assuming no internet connection is made by the midlet. Suppose I've a login screen that prompts for a password & uses MD5. Can anyone crack it?
3) Is it possible to retrieve the midlet from the mobile phone itself onto a desktop?
Thanks for the help!

Yes, it is possible to retrieve the data stored in
RMS.
Just try it on a Nokia S60 phone:
1. download and install FExplorer (free file
explorer)
2. go to: c:\system\midp\<vendor>\untrusted\<midlet
name>\<?????> folder
3. select rms.db
3. choose options/send/SMS|MMS|e-mail|bluetooth|irda
Of course cracking is a harder work...does this means that I can follow your step 1 & goto whichever midlet that I'm interested in & send the JAR/JAD file via SMS/MMS/Email/BlueTooth/IRDA?

Similar Messages

  • Hi,all I have a permission question about midp's httpconnection class

    Connection conn=Connector.open("http://www.sina.com.cn");
                   HttpConnection hc=(HttpConnection)conn;
                   int len = (int)hc.getLength();
                   byte[] b=new byte[len];
                   hc.openInputStream().read(b);
                   hc.close();
                   g.drawString(new String(b),0,0,0);
    this is my code, in function startApp()
    the result of the execute is that the screen prompt me a question:
    is it ok to use airtime?
    and the execption is :
    java.lang.SecurityException: Application not authorized to access the restricted API
         at com.sun.midp.security.SecurityToken.checkForPermission(+331)
         at com.sun.midp.security.SecurityToken.checkForPermission(+15)
         at com.sun.midp.midletsuite.MIDletSuiteImpl.checkForPermission(+20)
         at com.sun.midp.midletsuite.MIDletSuiteImpl.checkForPermission(+13)
         at com.sun.midp.io.ConnectionBaseAdapter.checkForPermission(+67)
         at com.sun.midp.io.j2me.http.Protocol.checkForPermission(+17)
         at com.sun.midp.io.ConnectionBaseAdapter.openPrim(+6)
         at javax.microedition.io.Connector.openPrim(+121)
         at javax.microedition.io.Connector.open(+15)
         at javax.microedition.io.Connector.open(+6)
         at javax.microedition.io.Connector.open(+5)
         at com.ipanel.j2me.test.TestCanvas.paint(+5)
         at javax.microedition.lcdui.Canvas.callPaint(+80)
         at javax.microedition.lcdui.Display.repaint(+77)
         at javax.microedition.lcdui.Display.registerNewCurrent(+237)
         at javax.microedition.lcdui.Display.access$400(+6)
         at javax.microedition.lcdui.Display$DisplayAccessor.foregroundNotify(+46)
         at javax.microedition.lcdui.Display$DisplayManagerImpl.notifyWantsForeground(+152)
         at javax.microedition.lcdui.Display$DisplayManagerImpl.access$100(+6)
         at javax.microedition.lcdui.Display.setCurrentImpl(+98)
         at javax.microedition.lcdui.Display.setCurrent(+29)
         at com.ipanel.j2me.test.Test.startApp(+16)
         at javax.microedition.midlet.MIDletProxy.startApp(+7)
         at com.sun.midp.midlet.Scheduler.schedule(+270)
         at com.sun.midp.main.CommandProcessor.run(+141)
         at com.sun.midp.main.CommandProcessor.dispatch(+49)
         at com.sun.midp.main.CommandProcessor.perform(+27)
         at com.sun.midp.main.Main.main(+171)
    i need to help... thanks

    You need to add permissions for some APIs in the JAD file.
    Ex. Add following line in your JAD (Java Archieve Descriptor) of your application.
    MIDlet-Permissions-Opt: javax.microedition.io.Connector.http
    Multiple permissions are to be separated with comma.
    Onkar

  • HT5622 i want to change my security questions.but the security questions reset is on an other email e dont know the email... how can i put a other email so i can reset it?

    i want to change my security questions.but the security questions reset is on an other email e dont know the email... how can i put a other email so i can reset it? and i got money on it

    If you don't have access to your rescue email account (you won't be able to change it until you can answer 2 of your questions) then you will need to contact iTunes Support or Apple : https://discussions.apple.com/docs/DOC-4551
    e.g. you can try contacting iTunes Support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Account Management , and then try Apple ID Account Security
    or try ringing Apple in your country and ask to talk to the Accounts Security Team : http://support.apple.com/kb/HE57

  • I need to by apps but it keeps asking for my security questions ;/ but  forgot the answers to my security questions and the security/rescue email too (i dont have USA number to call please help me and send my rest to my email

    I need to by apps but it keeps asking for my security questions ;/ but  forgot the answers to my security questions and the security/rescue email too (i dont have USA number to call please help me and send my rest to my email

    You need to ask Apple to reset your security questions. To do this, click here and pick a method; if that page doesn't list one for your country or you're unable to call, fill out and submit this form.
    (115668)

  • HT5312 I want buy Apps but need security questions,i forgot security questions and i forg reset security info email address. how can i do.  I know my ID and passworld

    I want buy Apps but need security questions,i forgot security questions and i forg reset security info email address. how can i do.  I know my ID and passworld
    i cant rember questions and my reset security info email(address and passworld)
    How can i do? i want buy apps but need ask this questions.......

    Welcome to the Apple Community.
    Start here (change country if necessary) and navigate to 'Password and Security', reset your security questions using the link provided, you will receive an email to your rescue address, use the link in the email and reset your security questions.
    If that doesn't help, you don't receive a reset email or you don't have a rescue address, you should contact AppleCare who will initially try to assist you with a reset email or if unsuccessful will pass you to the security team to reset your security questions for you.
    If you are in a region that doesn't have international telephone support try contacting Apple through iTunes Store Support.

  • Several questions about Application Security

    Hello,
    I have several questions about Application Security and perhaps I need a few tips...
    I have a lot of users in a few groups which have access to my application! And the different groups should have only access to their pages.
    In my application I use trees to navigate through the application.
    So my idea is that i display different trees for the different user groups and restrict the user to access the URL....so the user can only see and contact "their" pages.
    I know how to create the logic behind the trees, but how can I create the restricted URL access...
    The "No URL Access" in the Session State Protection can not be used, because I use a lot of links in reports and HTML regions.
    Is there another way to solve that?
    But I am unsure if that is a "good" solution for my problem!
    What do you think about that?
    Am I going to do that too complicated?
    Could that be done by authentication or authorization?
    (By the way, I do not understand the differences between authentication and authorization. Can anyone help?)
    I would be glad for any reply!
    Thank you,
    Tim

    Hey Arie and Scott,
    thank you for your quick reply!
    Now I understand the context around authorization and authentication...
    I try the Access Control List and I think that is a very nice feature! Really good!
    But now I am wondering, how I can create more privileges?
    So that I have a few "end-user-roles" and then I can choose who have access to a page and who not!
    Does anybody know how to do that?
    Thank you,
    Tim

  • I forget security info question, i forget security info question

    i forget security info question, i forget security info question

    The Three Best Alternatives for Security Questions and Rescue Mail
        1. Use Apple's Express Lane.
              Go to https://expresslane.apple.com ; click 'See all products and services' at the
              bottom of the page. In the next page click 'More Products and Services, then
              'Apple ID'. In the next page select 'Other Apple ID Topics' then 'Forgotten Apple
              ID security questions' and click 'Continue'. Please be patient waiting for the return
              phone call. It will come in time depending on how heavily the servers are being hit.
         2.  Call Apple Support in your country: Customer Service: Contact Apple support.
         3.  Rescue email address and how to reset Apple ID security questions.
    A substitute for using the security questions is to use 2-step verification:
    Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID.

  • Questions on user security etc

    Hello, we are getting ready to implement an SOA strategy within our company and have decided to use XI as the interface to SAP from any other system.  We have some (I have) questions on what some of the different approaches are for security. If anyone could help me with the following info (I have searched and searched and just not clear)
    So before reading the scenario's here is the main thing I am trying to accomplish. Have webservices that take in a userID and password that is not stored in XI but on our LDAP server (like we have in the portal) and pass this to the back end ensuring user has writes to do desired function in sap. We want every user id so we can track if someone creates an purchase request etc, (instead of setting up a system id, audit puposes) So with that background I have the following scenarios
    Scenario 1: Have a single sign on like the portal, so the user signs on with there normal account and XI accepts and forwards the request (this would mainly be a webservice) (I have seen some single sign on documentation but curious if it works in XI as it does in the portal)
    Scenario 2: Same as one, but use ADS/LDAP as our authentication engine.
    Scenario 3: Have userid put in, but no authentication is done on the front end but user is authenticated against the sap system and if allowed rfc/proxy is executed otherwise error message unauth is returned.
    Scenario 4: Is the propagate principle mainly just to ensure the user has all rights to run all calls within internal XI procedures and wouldn't really apply to just ensuring user has rights in the backend?
    I am sorry for the long question, I do reward points and I am just trying to get started on the right path with XI
    Cheers
    Devlin

    Hi,
    For your above cocern XI have provided the feature of Principal propagation with SSO ie.e Single sign On.
    refer
    Principal Propagation in SAP XI
    /people/alexander.bundschuh/blog/2007/01/16/principal-propagation-in-sap-xi
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/808d3048-638c-2a10-35a6-faa48e50ad59
    /people/sap.user72/blog/2004/11/30/user-mapping-based-single-sign-on
    http://help.sap.com/saphelp_nw04/helpdata/en/32/1c1041a0f6f16fe10000000a1550b0/frameset.htm
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/69d95112-0d01-0010-8297-fa31feea26e0
    also you could provide SSL Configuration across the firewall
    You need to setup SSL layer for HTTPS endpoint.
    Possible HTTP security levels are (in ascending order):
    HTTP without SSL
    HTTP with SSL (= HTTPS), but without client authentication
    HTTP with SSL (= HTTPS) and with client authentication
    HTTPS comes in two flavors, both ensuring the confidentiality of data sent over the network
    Thanks
    Swarup

  • Question about internet security...please help!

    Hi everyone,
    I have a question about the macbook's internet security.
    A few days ago I became aware that my sibling was using a laptop for internet use at my house which he got from a person that I do not trust. He is very computer-savy and we're worried that he may have installed some form of spy ware on that laptop and in turn, may have tried (or succeeded) in accessing my Macbook through some form of spyware. My house is hooked up with a D-Link wireless router, and at the time, it had no internet/access-password.
    So my question is, could this person have accessed my computer and personal information remotely by and through the laptop that my sibling got from him. I was under the impression that Mac's have very strong firewalls, but I have also heard that as long as he knew what he was doing, he could have accessed my computer. I don't have a wireless "network" set up at my house, I just simply use the router for internet. But my sibling told me that this guy was his "network administrator" which leads me to believe that he must have had remote access to the laptop.
    Can anyone with knowledge on this problem please weigh in and let me know what I need to do to confirm that no one has accessed anything from my macbook.
    Thanks!

    One option if you want to be extra safe is turning on FileVault (System Preferences -> Security), which will encrypt everything on your computer so that if somehow someone does gain access to your computer they will have a next to zero chance of being able to read anything they get from your computer. You have to have a lot of extra hard drive space on your computer to turn it on though.
    Also, a "network" is just a connection between computers, regardless of the internet is involved or not. So when you connect your computer to the router which gives you the internet, you are putting your computer on a network. Now I believe that in order for this person whom you don't trust to gain remote access to your computer, they would have to have more information such as an IP address for your computer, through the router in order to get to it.
    One thing I think is very important to consider that isn't on the technical side of things is something called "Social Engineering" which is a form of cracking, or hacking. You can do your own research, but in a nutshell Social Engineering is getting people that have access to something I'm trying to hack to give me information. For instance, this person you don't trust could be giving your brother the computer in the hopes that he will download something through your router to that laptop which could give him IP addresses and other information. And then when he gets that laptop back he could scan it for useful information and your brother wouldn't know he did anything wrong at all. The best way to avoid this is purely education and communication. Even if your brother doesn't share the same suspicions about this person, surely he will understand the need to be careful and smart when it comes to sharing personal information in the digital world.

  • HT1414 I had an update to do, did the update and was doing the setup. when the question Apple ID security came up, I check not now and hit next, but it will not continue anywhere

    Had an update to do, started the update and all was good until it came to the Security question during setup
    I chose Not Now and hit next, but it will not go any further.

    Reset and try again: Hold down the home button along with the sleep/wake button until you see the apple, then let go.

  • PSS: Password Self Service: No "Admin Defined Questions" available for security question registration

    Dear Experts,
    I have configured PSS as below,
    Activated "PSS" in connector configuration.
    Configure PSS as per SAP note.
    Configured 2 Questions and activated them.
    Maintained "Service User" in 10 services mentioned in SAP note
    After this when I try to register new user with "Admin Defined Questions" I do not get any question to select, it comes as a blank field. But I can register with user defined questions and can reset password as well as get mail for the same too.
    Questions:
    How to deactivate "User Defined Questions" option?
    Why I am not getting "Admin Defined Questions" for security question registration?
    Did anybody faced the same issue?
    Thanks in advance,
    BR,
    Mangesh

    Hi Friends,
    Any advice on the same.
    I have three issues for PSS,
    Admin question are not visible
    set option "Challenge response"
    Set admin questions and marked them active
    No system displayed during password reset
    Marked connector as PSS activated
    User available in backend as this is allow me to login for users available in backend system through end user logon page
    GRACUSER and GRACUSRCONN has the entry
    How to deactivate option "user defined question" for all users
    Any suggestions. I have tried options suggested on community through threads but no luck till.
    Raised it to SAP now but if anyone can suggest would be great so I would try it.
    BR,
    Mangesh

  • Questions on Authentication, Security, and APEX_PUBLIC_USER

    Hello,
    I’m evaluating APEX and my DBA’s have some questions about authentication and database connections. I have audit tables in my schema (created using Oracle Designer) and I’ve noticed that APEX_PUBLIC_USER is the user recorded in my created_by and modified_by columns. I’ve read several posts about this expected behavior and its solution - (UPPER(NVL(V('APP_USER'),USER)). See:
    Re: User in journal
    Re: DB connection by apex_public_user or by registered schema name?
    How can I store the user name, not APEX_PUBLIC_USER
    I’m ok making the changes in my triggers, but my question is what is the consequence from the DBA’s perspective? If there are 100 users in my application and the DBA’s look at current database connections it will show 100 APEX_PUBLIC_USERs correct? What about any internal Oracle auditing? This is really my first true venture into web style programming. Maybe this is expected behavior.
    I also noticed that there are 157 PUBLIC grants to objects in the FLOWS_030000 schema. This means that any DB account has access to these objects by default. Is this a security risk? I would have expected the objects to be granted directly to APEX_PUBLIC_USER. My company is heavily audited in both in an internal and a Sarbanes-Oxley (Sox) sense. This may not be a concern to everyone, but it may be a concern to us. How do other people explain/justify this?
    Are we expected to not make DB accounts and only create users inside of APEX? I know APEX supports the DB authentication, but I haven’t seen any definitive “best practice” recommendations on this. I have looked at all the documentation here:
    http://download-west.oracle.com/docs/cd/B32472_01/doc/nav/portal_booklist.htm
    Is there more documentation with a better explanation than this?
    Can anyone explain how APEX_PUBLIC_USER has no direct privilege on tables in my schema, yet it is the user recorded for DML changes?
    I know this is alot of questions; we're just trying to get a better understanding of APEX before we make the commitment to begin using it.
    Thanks for the help.
    Message was edited by:
    jabolen

    This FLOWS_xxxxxx schema has enough privilege to do DML in my schema (probably why FLOWS_xxxxxx is locked). Is that about right?
    Sort of. It has privilege to dynamically execute your DML (and other code) using your schema, so it is your schema that parses the code. (search: sys.dbms_sys_sql)
    ...enterprise-level identity management solutions...Is one example of that creating DB accounts? I assume others are SSO, LDAP, etc. Where can I read about the pro’s and con’s of these choices?
    Good topic for another thread: Best tools for managing user populations (tens, hundreds, thousands, internal company vs. internet/public, etc.) One key factor is who's going to do the work and how does that fit with your business, e.g., user forgets password -> user calls help desk (24/7?) -> help desk accesses admin account and resets password...Will help desk admin use EM, Application Express admin app, SQL*Plus, OID admin, ...?
    About authorization and roles, be aware that roles are useful in an Application Express environment only if you have a database user account for each application user (presumably named the same as the account the application user uses to authenticate, regardless of how the username/password lookup is performed, i.e., using the database account's password, LDAP, or something else) and your authorization code has enough privileges to check the current user's default roles, again the roles assigned to the database user account that corresponds to the application user name. This precludes the use of dynamically enabled roles. It also requires your application parsing schema to be able to access global views like dba_tab_privs. So, IMO, it's not the most streamlined approach unless you already have (or don't mind maintaining) a database user account for every named application user, a provision that may be unnecessary to support your authentication (vs.authorization) requirements.
    About ref cursors, there wouldn't be any privileges problems - your application's parsing schema must have the privilege to execute whatever definer's rights packages are to be called and these packages, as you said, would do the DML.. As to other issues involving the use of ref cursors, we'd need to know more about your approach and how you want to define reports. I suggest you build a small prototype app and try it out.
    Scott

  • Three questions about replication/security

    Hello,
    We are currently planning to build software for our sales persons using C#. Each sales person has a laptop and should be able to sync the client information when he/she has access to the internet/intranet. Sales person can update client information and the local database will be synced back to master server when the user is connected to the internet/intranet. My option was to go with Oracle lite (as client DB) and Oracle enterprise (Server DB). But after readying the posts in this forum, I believe Oracle XE can do the trick. Am I right?
    Second question is about the security of the replication. Sales persons can connect using the internet to sync the information back and forth. Is there a built in mechanism to secure the connection between the two DBs ( Oracle XE and EE)?
    Third question is about the recovery options. I read Mark’s post about the feature of Oracle XE. I understood that PIT recovery and achivelog mode are supported. But, the post also says that Tablespace PIT is not supported. Can some tell me the difference between PITR and TSPITR? If PITR is supported, can I restore the database to a specific date and time (i.e. Dec 2, 2005 2:00PM)?
    Thanks a lot

    Comments inline
    Hello,
    We are currently planning to build software for our sales persons using C#. Each sales person has a laptop and should be able to sync the client information when he/she has access to the internet/intranet. Sales person can update client information and the local database will be synced back to master server when the user is connected to the internet/intranet. My option was to go with Oracle lite (as client DB) and Oracle enterprise (Server DB). But after readying the posts in this forum, I believe Oracle XE can do the trick. Am I right?
    Yes - except that Oracle Lite comes with the synchronization built in, and it's tested to handle all the weird corner cases you have to deal with. XE will give you basic replication, however, you will have to build the connect, replicate (refresh materialized views), disconnect logic yourself (and test it). Personally I would spend the $100 on the Oracle Lite option
    Second question is about the security of the replication. Sales persons can connect using the internet to sync the information back and forth. Is there a built in mechanism to secure the connection between the two DBs ( Oracle XE and EE)?
    It depends by what you mean secure. When you connect XE to Enterprise Edition, it will use a database link to refresh the materialized views (replicated tables). Userids/passwords across the database link will be sent in an encrypted form. The data will not. I'm guessing you could use Oracle's Advanced Security option to secure the database links from XE to EE, but I'm not 100% sure. Tom may be able to give us a clue on this one. Also, note that DBLinks by default use the TCP/IP transport, so thats a hole you would have to kick in the firewall if the EE database was behind it (as it should be). Although replication can use HTTP as a transport mechanism
    (You can see all the issues you start to get into - the $100 dollars per Oracle Lite deployment is looking real goo to me right about now)
    Third question is about the recovery options. I read Mark’s post about the feature of Oracle XE. I understood that PIT recovery and achivelog mode are supported. But, the post also says that Tablespace PIT is not supported. Can some tell me the difference between PITR and TSPITR? If PITR is supported, can I restore the database to a specific date and time (i.e. Dec 2, 2005 2:00PM)?
    Yes - you can roll forward the entire database to a given point in time using RMAN (which will be in production). You cannot however roll forward just a subset of tablespaces (i.e a subset of the data) in XE. Tablespace PITR is an EE feature (and not for the faint hearted).
    Thanks a lot

  • Question on OID Security Provider?

    1. I find two offical documents on config OID security provider, which one is correct?
    http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBBHAGJ
    http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13952/taskhelp/security/ConfigureOracleInternetDirectoryATNProvider.html
    The main differences are:
    a. whether to change cn to uid at Groups related fields?
    for example:All Groups Filter to (&(uid=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
    b. whether to modify jps-config.xml file?
    2. I config provider successful based on http://download.oracle.com/docs/cd/E15523_01/webcenter.1111/e12405/wcadm_security.htm#BGBBHAGJ, I can find all user and group of OID at weblogic console. My question is why can't I delete or change group of user which at OID. When I add new user via weblogic console wizard I can't find OID provider at Authentication Provider list. What matter with it? a bug or somthing wrong with my configuration, even it is build-in design?

    a. whether to change cn to uid at Groups related fields?
    If the group name attribute for the static group object in the LDAP directory structure is a type other than cn, change that type in the settings for the All Groups Filter and Group Name From Filter attributes.
    For OID, Static group attribute is CN if i am not wrong. So I believe we dont need to change the All Groups Filter.
    b. whether to modify jps-config.xml file?
    I believe NO.
    why can't I delete or change group of user which at OID. When I add new user via weblogic console wizard I can't find OID provider at Authentication Provider list.
    The Weblogic OID Provider is read only, we cant modify anything on OID. Its not the bug, you get the same behaviour with the other providers as well.
    Hope it answers.

  • I can't rember my ansers for the questions on your security page plz send sorry to cause aney problem

    can't get songs i wood like to buy only just had pc reformated  and can not rember the answers to the questions you set on your page sorry
    <Email Edited by Host>

    You need to ask Apple to reset your security questions; ways of contacting them include clicking here and picking a method for your country, and filling out and submitting this form.
    (96467)

Maybe you are looking for

  • Endnotes for multiple  files in book

    I have  reviewed  several of the  posts about endnotes and now  am not sure which method to follow. I have  a book file with more than 70  files. Each of these files [a chapter] has endnotes which are to appear all at the end in one chapter called en

  • Apple ID greyed out in Settings-how to change?

    My grandaughter got a new iPod Touch.  She is using her mother's apple id but wants to change to one of her own.  The iPod is already set up with mother's id, and the id is greyed out in Settings.  How can she change the id to her own?

  • SCDPM 2012 R2 Backup with Exchange 2013 SP1 CU6 DAG

    Hi, Correct me if I'm wrong. DAG setup as follow, 1. Server1\MBX01 (Active) 2. Server2\MBX01 (Passive) DPM 1. Select Full for Active 2. Select Copy for Passive We always select active copy so that logs can be purge.  On the other hand, if we select b

  • Structure Search-PPOME

    Hi, I assigned a new object type A (Work Center) in Find By area (left hand side of PPOME) of PPOME. I configured Structure Search using table T77FSEAT. When I click on Structure Search( in PPOME) I am getting a message u201CNo Structure Existsu201D.

  • Is it possible to install OL6.2 with UEK using btrfs root file system?

    Can we use btrfs for root file system with Oracle Linux? If yes - how to install it? (OL6.2 installer doesn't offer btrfs within the available file systems).