28 October 2008

Enhancing the security prompting
for Java applications on S60 devices

If you here for a long enough than you already well aware that I am not huge fan of java applications, or to be precise MIDlets. Apart from the stone-age user interface and general slowness, the most annoying issue are endless, annoying and worthless security prompts!

Ironically most of the phone users don’t even understand what the heck the prompts are saying and confirms all of them without thinking twice whether they really know it's safe to do so or not.

Unlike the native Symbian applications, with java based software you’ll always run into security prompts because Java puts a lot of weight on security measurements and that is the main reason why it continuously prompts the user when they try to access 'sensitive' resources.

In a matter of fact, it pops up everywhere, when you're trying to install application, configure it, make some change, when accessing the local file system, data connection, actually sometimes I feels like it pops up even if I accidentally press d-pad in the wrong way :]

In many cases user is not allowed to grant application to access similar functionality in future ("Don't prompt me about this again") but requires user to accept the same thing over and over again in the same application run. But apparently there's hope.

No, not for all S60 users unfortunately but at least there is hope that this will be fixed on upcoming 3rd edition FP 2 (and later) devices but they’ll try to implement enhancements to some existing products through the firmware updates.

Aleksi Uotila from S60 Java team has written quite an informative post on the Developing on S60 blog about the security prompting and a handy solution for this annoying problem.

He says that S60 platform having very strict security rules for Java which does not really make sense as native applications and other runtime applications do not have to follow the same rules.

That means that due to strict security Java applications have been less capable in past. Therefore they decided to implement two things to make the situation better for Java developers on S60:

• A new kind of runtime security prompt which allows user to directly change the security setting for the application (pictured here)
  
• A set of security policy changes allowing user more control on the settings levels for untrusted and trusted 3rd party

Above picture shows the new security prompt. User is able to directly choose the security setting for the function group from the prompt.

In the example picture the function group is “NetAccess” as the prompt text talks about network usage. The different access groups and which API methods are tied to them are specified in MSA specification.

The idea of the new policy is to allow for signed MIDlets (identified third party in spec lingo) by default to have session access.

This means that for a certain API access user would only be asked once for the same MIDlets runtime. This helps signed applications using SMS/MMS messaging, file access, and application push invocations. For unsigned applications (untrusted / unidentified in spec lingo) we have added user some more freedom to choose the security level on these same access groups but the default access is the same as previously.