Palm has been very forthcoming
with its SDK, and third-party applications are obviously a priority. The
WebOS SDK (a.k.a. the Mojo SDK) may be downloaded for free from http://developer.palm.com. Developers are required to register before
they are allowed to access the SDK. Registration is free. The Mojo SDK
is available for Linux, Mac OS X, and Windows. This author slightly
prefers the Mac OS X environment over Windows because of stronger
terminal support when actually logging into and accessing the device.
As of this writing, the SDK is
in beta and there have been several changes as Palm integrates feedback
from application developers and continues to develop new features. Be
vigilant of SDK changes, especially as they relate to changes in
security behavior. A precedent for this already exists—Palm changed the
default behavior of HTML escaping in a previous release. Thankfully,
this change was made from an insecure default to a secure one, but who
knows what changes the future may bring.
Developers can use their
favorite web development environment. Palm recommends using Eclipse (www.eclipse.org) with the Aptana plug-ins. More
instructions on how to configure this environment are available from http://developer.palm.com as part of the Getting Started how-to guide.
Once Eclipse is running, developers may install a WebOS Eclipse
plug-in. This plug-in adds wizards for creating applications and scenes
as well as for packaging code and installing it on the device.
Developer Mode
By default, developers
cannot access the terminal on the device or install unsigned
applications. To be allowed to carry out these actions, developer mode
must first be enabled. To do so, follow these instructions:
Once
the main launcher screen is on top, type upupdowndownleftrightleftrightbastart. While you type this, the search UI will pop up
and nothing will appear to be happening.
Once
the entire code has been entered, the Developer Mode Application will
appear. Select it by clicking on it.
Toggle
developer mode by setting the value of the slider in the top right to
On.
Exit the Developer Mode
Application and reset the device.
The emulator enables developer
mode by default, so the preceding instructions are unnecessary when
you’re using the emulator.
When the phone is enabled in
developer mode, many of the security protections are disabled. Only use
development mode on development devices or temporarily when performing
testing. Do not leave your personal phone in development mode.
Accessing Linux
WebOS stands apart from
other mobile platforms due to the unprecedented access Palm provides to
the underlying Linux OS. To connect a terminal to Linux, follow these
steps:
Plug
in the WebOS device or start the emulator.
If you’re on Windows:
Run novacom –t open tty://.
This will open a root
terminal on the device. Note that pressing CTRL-C will cause novacom to
exit but will not actually kill the shell process running on the device.
If you’re on Mac OS X
or Linux:
A root terminal will
open on the device.
If more than one device is
connected (for example, the emulator and a physical device), you can
choose which device to connect to by using the -d parameter. For
example, use the following for devices connected via USB:
Once connected to Linux,
you can explore the device’s file system. Because all WebOS
applications are written in JavaScript, the original source code can be
reviewed to determine how the applications actually work. Most
interesting are the following folders:
| Folder | Description |
|---|
| /media/internal | The internal data storage partition.
Photos, application data, and other media are stored here. |
| /var/minicores | Contains text mini-dumps of executables that
terminated unexpectedly during execution. |
| /usr/palm/applications | Built-in
applications are located here. |
| /var/usr/palm/applications | Third-party
and developer applications are stored here once they are installed on
the device. |
Emulator
The WebOS emulator runs on Mac
OS X, Windows, and Linux using the Virtual Box virtualization software
(see Figure 1). The emulator can be used for most
testing but does not exactly mimic a device. First of all, the emulator
always has developer mode enabled. Second, you can use the “luna-send”
tool to simulate call events. This virtual radio simulator is a great
benefit of using the emulator for rapid development.
To send fake text
messages, do the following:
Open a terminal to the
emulator.
Run the luna-send tool and send a
message to the com.palm.pmradiosimulator system service. The luna-send
tool sends messages across the Palm Bus and can be used for testing
applications and service calls without the overhead of writing an
application.
luna-send -n 1 luna://com.palm.pmradiosimulator/set_incomingsms
{\"number\":\"2065551212\",
\"message\":\"'I love security reviewing the Pre!'\"}
Debugging and
Disassembly
First the good news: Because
WebOS applications are written in JavaScript, they are extremely easy to
reverse-engineer and disassemble. Simply find the application’s
location on the file system and review the JavaScript manually. This
technique is useful not just for finding security vulnerabilities, but
also for discovering system service interfaces and learning more about
WebOS application development.
Some system services are
written using Java or C. To disassemble Java services, use the JD-Gui
Java decompiler (http://java.decompiler.free.fr/) and use IDA Pro (http://hex-rays.com/)
for C disassembly. In general, neither of these tools will be required
by WebOS application developers striving to write secure applications.
Unfortunately, the
WebOS debuggers are somewhat deficient and not as easy to use as other
mobile development environments. Currently the Palm debugging toolkit
consists of three tools: the D8 JavaScript debugger, the Palm Inspector
(shown in Figure 2), and log statements that are printed
into /var/log/messages. Currently the best way to debug is to use log
messages for standard tracing/debugging, debug complicated logic
problems using the D8 debugger, and use the Palm Inspector for UI
debugging.
To launch the debugger,
open a root terminal and run the “debug” command. This will start D8,
the JavaScript debugger for the V8 engine. The debugger attaches to Luna
and debugs all JavaScript processes simultaneously. Unfortunately,
there is no way, other than intelligently setting breakpoints, to scope
debugging to a single process. Here are some of the more useful commands
(type help
to view the complete command list).
| Command | Effect/Usage |
|---|
| b
[location] | [location] defines where to stop
execution. For example, the following command will stop execution in the
HelloWorldScene-assistant.js file on line 142: |
| | var/usr/palm/applications/com.isecpartners.helloworld/app/assistants/
HelloWorldScene-assistant.js:142 |
| c | Continue execution once the
debugger has stopped. |
| List | List the source code around the
current line. |
| p [statement] | [statement]
defines a JavaScript statement to execute. Use this to perform ad-hoc
JavaScript experimentation. |
| Step | After
breaking, step one time. |
| trace compile | Toggles
debugger output JavaScript compilation methods. This is useful when
pulling in remote scripts and determining what to execute and what to
ignore. This command will generate a large amount of output and
significantly slow down the device. JavaScript Object Notation (JSON)
return statements will also be displayed. |
The Palm Inspector shows the
currently displayed DOM and the styles being applied in the current
scene. Unlike D8, Palm Inspector runs on the developer’s PC. Before an
application can be inspected, the application must be launched for
inspection. Do this using the “palm-launch” tool:
Open
a command prompt or terminal window on the development PC. This is a
local terminal; do not connect to the device.
Run the command
palm-launch -i <application_name> [{parameters}].
The
-i parameter indicates to start the application for inspection. This
parameter must be specified.
<application_name> is the name of the
application to run (for example, com.isecpartners.sports).
[{parameters}] is a JSON object of parameters to specify. The
parameters are optional but some applications may require them.
Start the Palm Inspector tool. It will automatically
connect to the running application and show the DOM. From here, the
application’s styles may be adjusted and JavaScript can be executed in
the bottom panel.
