Java Mobile Edition Security : Development and Security Testing (part 1) - Configuring a Development Environment and Installing New Platforms & Emulator

2/15/2011 11:40:46 AM
Because JME is a Java standard, developers and security testers benefit from being able to use roughly the same toolchain as used for standard Java development. If you have a favorite Java development environment, it may be worth sticking with it. The only unique development requirements are a device emulator and the CLDC and MIDP libraries. The compiler is identical. Sun freely provides the Java ME SDK (the SDK), which includes an emulator, emulator images, class libraries, samples, and a simple development environment. Each device manufacturer or operator may also distribute their own version of the toolkit, which contains additional emulator images and libraries. These custom toolkits are generally only required when targeting specific devices.

JME development tools for CLDC, CDC, and MIDP applications used to be distributed independently. Now every mobile configuration and profile is bundled together in the SDK and available as one download.

This author’s preferred development environment is NetBeans with the NetBeans Mobility Pack. It seamlessly integrates with the SDK and requires very little configuration to get things up and running. Other developers prefer Eclipse ( with the Mobile Tools for Eclipse plug-in installed ( Unfortunately, some of the JME profiling tools are not yet integrated into Eclipse. Throughout this article, screenshots and instructional text will refer to development using the free NetBeans editor and the Java ME SDK. At the time of this writing, the most recently released version of the SDK is 3.0.

To find manufacturer custom SDKs, visit the manufacturer’s website. If you’re testing a device on a specific carrier, that carrier may offer unique emulator images that are customized and differ from the manufacturer’s standard images. Almost everyone requires registration, but the APIs themselves are almost always free. Use the carrier specific packages if they exist because many operators, especially in North America, change security settings, add software, or otherwise affect the device’s behavior. Here are some manufacturer and carrier download sites:

Configuring a Development Environment and Installing New Platforms

Follow these steps to install NetBeans and the JME SDK 3.0 on Windows:

Download and install version 5 or 6 of the Java Development Kit (JDK). This is required to run NetBeans.

Download the SDK from Sun’s website ( Installing Sun’s SDK is not strictly required because a version is included with NetBeans. However, installing the latest version is always a good idea.

Run the downloaded executable file (sun_java_me_sdk-3_0-win.exe).

Click through the installer and read the options to make sure they work for you. By default, the SDK will be installed to \Java_ME_platform_SDK_3.0.

Download NetBeans with the Mobility Pack ( Make sure to select a version that supports Java ME development. Alternatively, you could use the pared-down version of NetBeans that comes with Sun’s SDK, but it does not have a debugger, which is an essential security testing tool.

After installing NetBeans, make sure to install any updates. There have been security vulnerabilities in the JME SDK before.

Once NetBeans has been installed, start the IDE by clicking on the NetBeans IDE icon in the Start menu. See Figure 1 for the screenshot.

Figure 1. NetBeans JME development environment

You will now have to tell NetBeans about the new version of the JME SDK. After you do this, NetBeans will be able to compile using those libraries and use the emulator images. This is the same process used when downloading and installing operator and manufacturer SDKs.

Within NetBeans, open the Tools menu and select Java Platforms.

Click Add Platform to add a new Java platform.

Select the Java ME MIDP Platform Emulator radio button and click Next.

NetBeans should find the third-edition SDK automatically. If it doesn’t, navigate to the folder where the SDK was installed (for example, c:\JAVA_ME_platform_SDK_3.0).

Click Okay to install the platform.

Emulator and Data Execution Protection

If you are running on a Windows system with Data Execution Protection (DEP) enabled, the emulator may crash immediately because it is executing code from operating system memory pages not marked as executable. Here’s how to fix this:

  1. In Windows, open the Advanced System Settings dialog by right-clicking on Computer and choosing Properties.

  2. Select the Advanced tab and click Performance Options.

  3. Choose the Data Execution Prevention tab.

  4. Add the emulator runtime to the DEP excepted programs list (C:\Java_ME_platform_SDK_3.0\runtimes\cldc-hi-javafx\bin\ runMidlet.exe).

Each wireless toolkit names this executable slightly differently. To determine which executable is crashing, review the system crash report. Be careful not to leave nonspecialized applications such as java.exe in the exclusion list because this does decrease your machine’s anti-exploitation protections.

To test everything out, import one of the sample projects by clicking File | New Project. Select the Java ME category, choose the Mobile Projects with Existing MIDP Sources project type, and navigate to one of the samples installed with the JME SDK. The Demos application is a good starting point (C:\Java_ME_platform_SDK_3.0\apps\Demos).

Once the project is imported, click the green Run arrow in the toolbar to actually run the project. If all has gone well, an emulator should pop up and the application should be started.


The emulator lets you simulate real-world devices without having the actual hardware. For JME, this is especially invaluable because there are thousands of different models in the marketplace. Thankfully, the SDK contains emulator images for the most popular devices and form factors. These images are a great place to start when you’re first poking around with JME.

One advantage of JME over other shared mobile platforms (such as Windows Mobile) is that the application and platform security behavior is specified by MIDP and CLDC. Therefore, the emulator’s behavior should be relatively consistent with the behavior of real devices. However, some manufacturers and carriers do tweak the rules, so always make sure to test on the target device.

Configuring the Emulator

The default SDK emulators support many of the newer JSRs that may not be available on production devices. Also, the emulators don’t enforce security by default, which makes it impossible to test the security system. Before using the emulators, make sure to enable security and add or remove JSRs to match your testing target. This is especially handy when an emulator is not easily available from the device manufacturer.

Adding and Removing JSRs

To add or remove support for optional JSRs in NetBeans, do the following:

  1. Open the project’s properties by right-clicking on the project and selecting Properties.

  2. Select the Platform category from the right-side tree menu. This property page lets you tweak individual settings on the device.

  3. Disable or enable individual JSRs by finding their API set and clicking the check box. Unfortunately, the actual JSR number is not provided in this list.

Enabling Security

The MIDP security specification groups access to a device into permission domains. By default, applications written in NetBeans will run in the Maximum permission domain, which should never happen in the real world and won’t exhibit close to the same security behavior as it will on an actual device. To actually test the security of your application, force the application to run in a restricted permission domain. This way, you can see how the application will respond on a real device. Of course, individual devices may behave differently, and any real testing should be performed with the appropriate target toolkit and certificates.

To cause an application to run in a particular permission domain when being deployed from NetBeans, do the following:

  1. Open the project’s properties by right-clicking on the project and selecting Properties.

  2. Select the Running category from the right-side tree menu.

  3. Check the Specify the Security Domain check box and select a permission domain. For this exercise, choose Minimum.

  4. Run the Demos project. Notice that the application won’t actually start. This is because the project uses the HTTP and HTTPS library and is not being signed by NetBeans, which causes the device to block the application from running.

  •  Java Mobile Edition Security : Configurations, Profiles, and JSRs
  •  Programming the Mobile Web : Performance Optimization
  •  Programming the Mobile Web : Testing and Debugging (part 3) - Client-Side Debugging
  •  Programming the Mobile Web : Testing and Debugging (part 2) - Server-Side Debugging & Markup Debugging
  •  Programming the Mobile Web : Testing and Debugging (part 1) - Remote Labs
  •  Windows Phone 7 : Working with Controls and Themes - Adding Transition Effects
  •  Windows Phone 7 : Working with Controls and Themes - Understanding Frame and Page Navigation
  •  Windows Phone 7 : Working with Controls and Themes - Panorama and Pivot Controls
  •  Programming the Mobile Web : Widgets and Offline Webapps - Platforms (part 5) - Windows Mobile & BlackBerry
  •  Programming the Mobile Web : Widgets and Offline Webapps - Platforms (part 4) - Windows Mobile & BlackBerry
  •  Programming the Mobile Web : Widgets and Offline Webapps - Platforms (part 3) - webOS & Android
  •  Programming the Mobile Web : Widgets and Offline Webapps - Platforms (part 2) - iPhone, iPod, and iPad
  •  Programming the Mobile Web : Widgets and Offline Webapps - Platforms (part 1) - Symbian/Nokia
  •  Programming the Mobile Web : Widgets and Offline Webapps - Standards
  •  Mobile Application Security : BlackBerry Security - Networking
  •  Mobile Application Security : BlackBerry Security - Local Data Storage
  •  Themes on Windows Phone 7 Devices (part 2) - Changing the Theme & Detecting the Currently Selected Theme
  •  Themes on Windows Phone 7 Devices (part 1) - Applying a Theme
  •  Programming the Mobile Web : Mobile Widget Platforms
  •  Programming the Mobile Web : Geolocation and Maps - Showing a Map
    Top 10
    ASP.NET 3.5 : The HTTP Request Context - The HttpRequest Object
    ASP.NET 3.5 : The HTTP Request Context - The HttpResponse Object
    Active Directory Domain Services 2008 : Enable a Group Policy Object Link, Enforce a Group Policy Object Link, Remove the Enforcement of a Group Policy Object Link
    Active Directory Domain Services 2008 : Link a Group Policy Object, Remove a Group Policy Object Link, Disable a Group Policy Object Link
    Writing 64-Bit Applications for Windows 7 (part 2)
    Writing 64-Bit Applications for Windows 7 (part 1) - OVERCOMING 64-BIT DEVELOPMENT ISSUES
    Developing a Windows 7 Strategy : DETERMINING THE USER WINDOWS 7 COMFORT LEVEL
    Windows Server 2008 and Windows Vista : Group Policy Processing Events (part 2) - Foreground Group Policy Processing
    Windows Server 2008 and Windows Vista : Group Policy Processing Events (part 1) - Background GPO Policy Processing
    Kyocera Mita FS-C5150DN
    Most View
    SQL Server 2008 : Performance Tuning - Working with Database Tuning Advisor
    HP X2301 : Micro Thin, Macro Sights
    Idisk - The Most Versatile Component Of Mobileme (Part 2)
    Java EE 6 with GlassFish 3 Application Server : JSP implicit objects
    ASP.NET 4 in VB 2010 : ADO.NET Fundamentals (part 2) - SQL Basics
    Algorithms for Compiler Design: REGULAR GRAMMAR
    Supporting Computers Running Windows Vista
    Managing Exchange Server 2010 : The Exchange Management Shell (part 1) - Bulk user creation in the Exchange Management Shell
    A Complete Instruction For Your PC Kit And How To Buy (Part 4) - Orange Amplification OPC
    SQL Server 2008 : Developing with LINQ to SQL (part 2) - Uncovering LINQ to SQL with Linqpad
    SQL Server 2008 : Advanced Stored Procedure Programming and Optimization - Using Dynamic SQL in Stored Procedures
    PestControl - Remove Stubborn Bugs - DNSCHANGER
    New products - First looks, May 2012 (Part 3) - MSI Z77-GD55 Motherboard, Motorola Atrix 2, NVIDIA GTX 680
    Oloneo HDRengine
    Social Shedding the Slacktivist Tag
    Windows Server 2003 : Terminal Services Administration (part 2) - Terminal Services Configuration
    Windows Vista : Performing Local PC Administration (part 2) - Performing common workstation administration tasks
    Windows Phone 7 : In the Cloud - Pushing Your Notification
    Exchange Server 2010 : Utilize the Availability Options for Servers Based on Role (part 1) - Load-Balance Client Access Servers
    XNA Game Studio 4.0 : Gamer Services - Guide Class (part 1) - Trial Mode