SMS Text News reader Daniel emailed me asking for the help of the ultra techie audience here on the site. Do you know much about certificates and Java for mobile? Perhaps you might be able to help. Here’s his enquiry:
Please help me with this enquiry. I’ve got a Java mobile application that i’m trying to distribute over the internet but whenever the users are trying to install the application and use it, a message keeps on appearing saying the application hasnt got a certificate.
Let me explain the process in downloading the application from the site. The users visit the site, completes the online registration form and by clicking on the download button, a txt file will be generated which will contain the user details, the JAR file which contains the application stored on the server gets extracted and recompiled again with the new txt file.
So whenever users try to activate the application on their phone, the information saved on txt file will be retrieved to authenticate them. Basically, the help i need now is identifiying which company i need to use to integrate the application with the security certificate as the way the application is download makes it a little bit complicated.
It’s definitely a complicated model that Daniel’s implemented. Any thoughts?
Hi
Unsigned Java applications are placed into what is known as third party untrusted
There are 4 groups for security, all remove the particular nag Dan has a problem with except the first
Third Party untrusted (basically an unsigned application)
Third Party Trusted (Verisign/ Java Verify)
Operator (Vodafone, T Mobile etc)
Manufacturer (Sony, Motorola etc)
Signing applications also allows access and/or removes the nags to protected apis such as JSR 75, http connection.
The big stumbling block here is you cannot be certain which certificates are on a given phone, the most common ones are the Java Verify programme’s (in the phone as UTi) and the Verisign certificate, however for example not all Motorolas will have the Verisign certificate. Most Sonys do but if we take the Vodafone UK K800 this only has the Java Verify certificate
Hope the above helps feel free to contact me if you wish further clarification
further to this point as he is recompiling on the fly he is going to have to use a verisign certificate as he needs to be able to self sign the application
Kieran, I talked to Daniel and he’s away to talk to VeriSign — thanks for taking the time to answer!
Hi,
I’m also happy to help out on this if Daniel still needs a hand. I’ve done it before with Mobizines, compiling up MIDlets on a server with varying content inside them and then getting the server to sign them. Tricky bits are making sure you have the entire certificate chain inside the JAD file – linking your certificate to the Certificate Authority’s root certificate and (as Kieran says) making sure you only deliver the signed application to phones which have the root Certificate Authority’s certificate installed on them. For ‘trusted 3rd party’ we were using a Verisign Class 3 Code Signing certificate and found that only Sony Ericsson devices consistantly had the root CA installed. Newer devices (last 1-2 years) from many manufacturers do have the certificate installed but it is a hassle testing each device and maintaining a list of which Nokia’s/LG’s/Samsung’s/… do have it and which don’t.
That is where Java Verified came in as they maintain a list on JavaVerified.com of which devices definitely have the JavaVerified root certificate on them, but then that is expensive and you can’t self-sign.
Kind regards
Rich
You should talk to Verisign.
You should talk to Verisign.