Mobile Application Security : WebOS Security - Development and Security Testing

2/24/2011 4:11:01 PM
Palm has been very forthcoming with its SDK, and third-party applications are obviously a priority. The WebOS SDK (a.k.a. the Mojo SDK) may be downloaded for free from Developers are required to register before they are allowed to access the SDK. Registration is free. The Mojo SDK is available for Linux, Mac OS X, and Windows. This author slightly prefers the Mac OS X environment over Windows because of stronger terminal support when actually logging into and accessing the device.

As of this writing, the SDK is in beta and there have been several changes as Palm integrates feedback from application developers and continues to develop new features. Be vigilant of SDK changes, especially as they relate to changes in security behavior. A precedent for this already exists—Palm changed the default behavior of HTML escaping in a previous release. Thankfully, this change was made from an insecure default to a secure one, but who knows what changes the future may bring.

Developers can use their favorite web development environment. Palm recommends using Eclipse ( with the Aptana plug-ins. More instructions on how to configure this environment are available from as part of the Getting Started how-to guide. Once Eclipse is running, developers may install a WebOS Eclipse plug-in. This plug-in adds wizards for creating applications and scenes as well as for packaging code and installing it on the device.

Developer Mode

By default, developers cannot access the terminal on the device or install unsigned applications. To be allowed to carry out these actions, developer mode must first be enabled. To do so, follow these instructions:


For more information, refer to “Command Line Tools” on the Palm website (

  1. Boot the WebOS device.

  2. Once the main launcher screen is on top, type upupdowndownleftrightleftrightbastart. While you type this, the search UI will pop up and nothing will appear to be happening.

  3. Once the entire code has been entered, the Developer Mode Application will appear. Select it by clicking on it.

  4. Toggle developer mode by setting the value of the slider in the top right to On.

  5. Exit the Developer Mode Application and reset the device.

The emulator enables developer mode by default, so the preceding instructions are unnecessary when you’re using the emulator.

When the phone is enabled in developer mode, many of the security protections are disabled. Only use development mode on development devices or temporarily when performing testing. Do not leave your personal phone in development mode.

Accessing Linux

WebOS stands apart from other mobile platforms due to the unprecedented access Palm provides to the underlying Linux OS. To connect a terminal to Linux, follow these steps:

  1. Plug in the WebOS device or start the emulator.

  2. If you’re on Windows:

    1. Open a command prompt.

    2. Run novacom –t open tty://.

    3. This will open a root terminal on the device. Note that pressing CTRL-C will cause novacom to exit but will not actually kill the shell process running on the device.

  3. If you’re on Mac OS X or Linux:

    1. Open a terminal window.

    2. Run novaterm.

    3. A root terminal will open on the device.

If more than one device is connected (for example, the emulator and a physical device), you can choose which device to connect to by using the -d parameter. For example, use the following for devices connected via USB:

novaterm -d usb

Once connected to Linux, you can explore the device’s file system. Because all WebOS applications are written in JavaScript, the original source code can be reviewed to determine how the applications actually work. Most interesting are the following folders:

/media/internalThe internal data storage partition. Photos, application data, and other media are stored here.
/var/minicoresContains text mini-dumps of executables that terminated unexpectedly during execution.
/usr/palm/applicationsBuilt-in applications are located here.
/var/usr/palm/applicationsThird-party and developer applications are stored here once they are installed on the device.


The WebOS emulator runs on Mac OS X, Windows, and Linux using the Virtual Box virtualization software (see Figure 1). The emulator can be used for most testing but does not exactly mimic a device. First of all, the emulator always has developer mode enabled. Second, you can use the “luna-send” tool to simulate call events. This virtual radio simulator is a great benefit of using the emulator for rapid development.

Figure 1. The WebOS emulator running on Mac OS X

To send fake text messages, do the following:


For more information, refer to “Radio Simulator” on the Palm website (

  1. Open a terminal to the emulator.

  2. Run the luna-send tool and send a message to the com.palm.pmradiosimulator system service. The luna-send tool sends messages across the Palm Bus and can be used for testing applications and service calls without the overhead of writing an application.

    luna-send -n 1 luna://com.palm.pmradiosimulator/set_incomingsms
    \"message\":\"'I love security reviewing the Pre!'\"}

Debugging and Disassembly

First the good news: Because WebOS applications are written in JavaScript, they are extremely easy to reverse-engineer and disassemble. Simply find the application’s location on the file system and review the JavaScript manually. This technique is useful not just for finding security vulnerabilities, but also for discovering system service interfaces and learning more about WebOS application development.

Some system services are written using Java or C. To disassemble Java services, use the JD-Gui Java decompiler ( and use IDA Pro ( for C disassembly. In general, neither of these tools will be required by WebOS application developers striving to write secure applications.

Unfortunately, the WebOS debuggers are somewhat deficient and not as easy to use as other mobile development environments. Currently the Palm debugging toolkit consists of three tools: the D8 JavaScript debugger, the Palm Inspector (shown in Figure 2), and log statements that are printed into /var/log/messages. Currently the best way to debug is to use log messages for standard tracing/debugging, debug complicated logic problems using the D8 debugger, and use the Palm Inspector for UI debugging.

Figure 2. The Palm Inspector tool

To launch the debugger, open a root terminal and run the “debug” command. This will start D8, the JavaScript debugger for the V8 engine. The debugger attaches to Luna and debugs all JavaScript processes simultaneously. Unfortunately, there is no way, other than intelligently setting breakpoints, to scope debugging to a single process. Here are some of the more useful commands (type help to view the complete command list).

b [location][location] defines where to stop execution. For example, the following command will stop execution in the HelloWorldScene-assistant.js file on line 142:
 var/usr/palm/applications/com.isecpartners.helloworld/app/assistants/ HelloWorldScene-assistant.js:142
cContinue execution once the debugger has stopped.
ListList the source code around the current line.
p [statement][statement] defines a JavaScript statement to execute. Use this to perform ad-hoc JavaScript experimentation.
StepAfter breaking, step one time.
trace compileToggles debugger output JavaScript compilation methods. This is useful when pulling in remote scripts and determining what to execute and what to ignore. This command will generate a large amount of output and significantly slow down the device. JavaScript Object Notation (JSON) return statements will also be displayed.

The Palm Inspector shows the currently displayed DOM and the styles being applied in the current scene. Unlike D8, Palm Inspector runs on the developer’s PC. Before an application can be inspected, the application must be launched for inspection. Do this using the “palm-launch” tool:

  1. Open a command prompt or terminal window on the development PC. This is a local terminal; do not connect to the device.

  2. Run the command palm-launch -i <application_name> [{parameters}].

    1. The -i parameter indicates to start the application for inspection. This parameter must be specified.

    2. <application_name> is the name of the application to run (for example, com.isecpartners.sports).

    3. [{parameters}] is a JSON object of parameters to specify. The parameters are optional but some applications may require them.

  3. Start the Palm Inspector tool. It will automatically connect to the running application and show the DOM. From here, the application’s styles may be adjusted and JavaScript can be executed in the bottom panel.

  •  Mobile Application Security : WebOS Security - Introduction to the Platform
  •  iPhone Application Development : Getting the User’s Attention - Using Alert Sounds and Vibrations
  •  iPhone Application Development : Getting the User’s Attention - Using Action Sheets
  •  jQuery 1.3 : Modifying table appearance (part 4) - Filtering
  •  jQuery 1.3 : Modifying table appearance (part 3) - Collapsing and expanding sections
  •  jQuery 1.3 : Modifying table appearance (part 2) - Tooltips
  •  jQuery 1.3 : Modifying table appearance (part 1) - Row highlighting
  •  Windows Phone 7 Development : Using Culture Settings with ToString to Display Dates, Times, and Text
  •  Mobile Application Security : SymbianOS Security - Persistent Data Storage
  •  Mobile Application Security : SymbianOS Security - Interprocess Communication
  •  Mobile Application Security : SymbianOS Security - Permissions and User Controls
  •  Windows Phone 7 Development : Building a Trial Application (part 3) - Verifying Trial and Full Mode & Adding Finishing Touches
  •  Windows Phone 7 Development : Building a Trial Application (part 2) - Connecting to a Web Service & Adding Page-to-Page Navigation
  •  Windows Phone 7 Development : Building a Trial Application (part 1) - Building the User Interface
  •  jQuery 1.3 : Table Manipulation - Sorting and paging (part 2) : Server-side pagination & JavaScript pagination
  •  jQuery 1.3 : Table Manipulation - Sorting and paging (part 1) : Server-side sorting & JavaScript sorting
  •  Windows Phone 7 Development : Understanding Trial and Full Modes (part 3) - Simulating Application Trial and Full Modes
  •  Windows Phone 7 Development : Understanding Trial and Full Modes (part 2) - Using the Marketplace APIs
  •  Windows Phone 7 Development : Understanding Trial and Full Modes (part 1) - Using the IsTrial Method
  •  Mobile Application Security : SymbianOS Security - Application Packaging
    Top 10
    Primer – Choosing And Using Peripheral Buses (Part 2)
    Primer – Choosing And Using Peripheral Buses (Part 1)
    SanDisk ReadyCache 32GB - Caching Solution SSD
    Windows 8 Tips And Tricks – Jan 2013
    Lenovo IdeaPad S400 - Stylish And Affordable Laptop
    Nokia Lumia 920 - Super Smart, Super-Size Handset
    Optimus L9 - The Nicest Phone In LG's 'L' Line
    Bits Of Bytes
    Happy iMas (Part 2)
    Happy iMas (Part 1)
    Most View
    Windows 7 : Maintaining Your Hard Drive
    Implementing and Validating SharePoint 2010 Security : Using IPsec for Internal SharePoint Encryption
    New or Updated Group Policy Settings in Windows Vista
    Exchange Server 2010 : Monitoring and Troubleshooting Unified Messaging
    AMD Radeon HD 7950 3GB vs. Nvidia GeForce GTX 660 Ti 2GB vs. Nvidia GeForce GTX 670 2GB (Part 2)
    Rise Of The Mobile Processors (Part 1)
    The Linux Build: Part For Penguins (Part 5)
    Advanced ASP.NET : Output Caching
    Iwork Pro : Export Strength
    Choose The Right Business Broadband (Part 2)
    Editions of SQL Server 2008
    Deploying the Client for Microsoft Exchange Server 2010 : Planning Considerations and Best Practices
    Kingston SSDNow mS100 64GB - One Of The Cheapest SSDs Around
    Linking PCs with a Network : Connecting to and Sharing Files with Other PCs on Your Network, Sharing a Printer on the Network
    Most Favorite Education Apps For Your Smartphone – November 2012
    Nikon Launched The D800 And D800E
    Troubleshooting Reference: Projectors
    MySQL for Python : Passing a query to MySQL
    Sony RX100 - Music To Your Ears!
    ASUS RT-N56U