Categories
News

Techie help needed re Java mobile certificates

SMS Text News reader Daniel emailed me asking for the help of the ultra techie audience here on the site. Do you know much about certificates and Java for mobile? Perhaps you might be able to help. Here’s his enquiry:

Please help me with this enquiry. I’ve got a Java mobile application that i’m trying to distribute over the internet but whenever the users are trying to install the application and use it, a message keeps on appearing saying the application hasnt got a certificate.

Let me explain the process in downloading the application from the site. The users visit the site, completes the online registration form and by clicking on the download button, a txt file will be generated which will contain the user details, the JAR file which contains the application stored on the server gets extracted and recompiled again with the new txt file.

So whenever users try to activate the application on their phone, the information saved on txt file will be retrieved to authenticate them. Basically, the help i need now is identifiying which company i need to use to integrate the application with the security certificate as the way the application is download makes it a little bit complicated.

It’s definitely a complicated model that Daniel’s implemented. Any thoughts?

By Ewan

Ewan is Founder and Editor of Mobile Industry Review. He writes about a wide variety of industry issues and is usually active on Twitter most days. You can read more about him or reach him with these details.

6 replies on “Techie help needed re Java mobile certificates”

Hi

Unsigned Java applications are placed into what is known as third party untrusted

There are 4 groups for security, all remove the particular nag Dan has a problem with except the first

Third Party untrusted (basically an unsigned application)
Third Party Trusted (Verisign/ Java Verify)
Operator (Vodafone, T Mobile etc)
Manufacturer (Sony, Motorola etc)

Signing applications also allows access and/or removes the nags to protected apis such as JSR 75, http connection.

The big stumbling block here is you cannot be certain which certificates are on a given phone, the most common ones are the Java Verify programme’s (in the phone as UTi) and the Verisign certificate, however for example not all Motorolas will have the Verisign certificate. Most Sonys do but if we take the Vodafone UK K800 this only has the Java Verify certificate

Hope the above helps feel free to contact me if you wish further clarification

further to this point as he is recompiling on the fly he is going to have to use a verisign certificate as he needs to be able to self sign the application

Kieran, I talked to Daniel and he’s away to talk to VeriSign — thanks for taking the time to answer!

Hi,

I’m also happy to help out on this if Daniel still needs a hand. I’ve done it before with Mobizines, compiling up MIDlets on a server with varying content inside them and then getting the server to sign them. Tricky bits are making sure you have the entire certificate chain inside the JAD file – linking your certificate to the Certificate Authority’s root certificate and (as Kieran says) making sure you only deliver the signed application to phones which have the root Certificate Authority’s certificate installed on them. For ‘trusted 3rd party’ we were using a Verisign Class 3 Code Signing certificate and found that only Sony Ericsson devices consistantly had the root CA installed. Newer devices (last 1-2 years) from many manufacturers do have the certificate installed but it is a hassle testing each device and maintaining a list of which Nokia’s/LG’s/Samsung’s/… do have it and which don’t.

That is where Java Verified came in as they maintain a list on JavaVerified.com of which devices definitely have the JavaVerified root certificate on them, but then that is expensive and you can’t self-sign.

Kind regards
Rich

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.