In my application, I just want to upload some data on the server without interacting with the user.
How do I silently upload data on the server in J2ME without asking the user for Internet usage?
In order to upload silently, the user must approve at least once that it allows you to connect to the internet, as specified by the MIDP 2.0 Security Architecture.
First you have to sign your Midlet with a certificate from a Certificate Authority (commonly refered as CAs) as Verisign, Thawte, Java Verified, etc. You have to choose your CA depending on the devices you are targeting. The device will just recognize the CAs installed as root certificates. If it doesn't have the root certificate of the CA you chose, it will not be a secure third-party application. This is explained in simple steps in the Nokia Wiki
The second step is to set in your JAD file the next line
MIDlet-Permissions: javax.microedition.io.Connector.http
This will ask for http connections permission since it is installed.
In this way the user will just be noticed once, and will be allowed to set the permission permanently. Some devices will not allow a permanent permission if the application is not signed.
This is impossible. All the phones ask the user before letting an application use internet services.
One possibility could be signing the application somehow, but that would work on very few phones, if any.
If your application is signed by Java Verify or similar you will be able to let the user say they allow all future http connections, rather than having to authorise them all singularly.
Related
I have a .net WEB API publicly exposed and also a Xamarin Forms App which uses the API, the app needs to be extremely secure due to the data it manages.
I will create an HTTP Certificate for the WEB API.
The Xamarin Forms app will have a login/password to validate against a local Active Directory. via a /token endpoint, and using an Authorize attribute on all endpoints to assure that every HTTP call has the bearer token in it, I implemented that using this:
I based my implementation on this one:
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Additionally the customer has asked us for Client Certificate Authentication, I dont understand how this totally works.
1. I need to add a certificate to the Xamarin Project, right? How do I Add it? How do I generate it?
2. In the Web API I need to validate each http call has the certificate attached.
I found this but not sure if it will work:
http://www.razibinrais.com/secure-web-api-with-client-certificate/
However when investigating this, I also found something about certificate pinning, which is basically security but the other way around, it means the Xamarin APP will validate if the server certificate is associated with the right server (or something like that), so there is no way of a MAN IN THE MIDDLE Attack.
I found how to implement it here:
https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin
Question is:
1. Do I need both ?
Something else that I should research for on this journey?
Certificate pinning and Client Certificate Authentication are 2 very different things. Certificate pinning makes sure your app is talking to the server it expects to talk to. It also prevents eavesdropping, which is known as a 'Man in the middle' attack. I just recently wrote an article about this on my blog.
Client Certificate Authentication works the other way around. It adds an extra layer of security so your server can be sure only clients that have the certificate can communicate successfully with it. However, since apps can be decompiled without a lot of effort, this client certificate can 'easily' be obtained by a malicious user. So this isn't a silver bullet.
From my experience, Client Certificate Authentication is often used in enterprise apps, when there is an Enterprise Mobility Management solution in place (eg. Mobile Iron or Microsoft Intune or others), where the EMM solution can push the certificates to the users device out of band.
Should you use both? That really depends on the requirements of your customer, since they mitigate 2 very different problems.
The Web API link you included looks like it should do the server job properly at first sight. This article also includes how to generate a client certificate with a Powershell command.
Generating a client side certificate:
Use the Powershell command in the article that you referenced in your question.
Otherwise, this gist might help you on your way.
Installation:
Add the certificate file to each platform specific project as a resource. This is usually done in the form of a .p12 file.
Usage:
That all depends on which HttpClient you are using.
If you use the provided Web API solution, you should add the certificate contents as a X-ARR-ClientCert header with each request.
In my scenario I have users who need to sign documents from an IIS served web application (ASP.NET MVC in my case).
I can assume my users all have the same type of SmartCard and the same type of certificate with the same proper middleware drivers (CSR) installed on their Windows PCs.
What is the actual architecture that I can use in this scenario to ask them to enter their certificate's PIN from the web page (but out of the sandbox I think) and use their private certificate to sign documents?
In the past I've used signed applets or signed ActiveX to interact with user's hardware and make appear, for example, the PIN request diaolg window invoked on the client's driver. Are these technologies actually viable or there is a more modern approach to this kind of issues?
I have created a small j2me app (for personal use) for sending text messages.This j2me app fetches the messages
from my HTTP server and then send them to the fetched mobile number.
Now the Problem is that it asks for permission every time it send messages,
and as far as i know , i need to sign my app for permanent permission.
I don't want to buy the certificate just for my personal use. So i decide to self-sign
my app.I followed this blog http://browndrf.blogspot.com/2006/06/build-and-install-singed-midlet.html
but unable to install .cer on my phone(Samsung GT-S5230).
I don't know if there is any eclipse plugin available for this.
Is there any other easy way to self-sign the j2me app.
Don't go with self-signing for Java ME applications. Its not worth for MIDlet signing and also its not working most of the devices. So better option is buy it from some third party providers.
Our (internally distributed) iOS app relies on iOS 4.2's encryption to secure sensitive data.
However, that only works satisfactory if the user is using a good system-wide password.
I understand that this can be enforced by installing a configuration profile on those iOS devices by configuring the rules for a password.
Since the installation of this profile is optional to our users, how can we make sure our app only works if a certain profile is installed, or alternatively, if certain password regulations are met?
(We are not concerned with jailbreaks and related cracks to our software, so the ability to test for a config profile or other criteria inside our own code would be sufficient.)
What you can do, is create a (self-signed) SSL Certificate and add your signing authority to the configuration profile. Then, from within your app you can attempt to verify the certificate. The verification will only work if you trust the signing authority, which only happens if you have configuration profile has been installed.
You can read more about the process here if you wish:
http://blog.slaunchaman.com/2011/12/01/enforcing-ios-security-settings-in-third-party-applications/
Note: This may not be acceptable for submission to the App Store.
Looking for some advice about the use of client certs to retro-fit access control to an existing app.
Our company has an existing intranet app (classic ASP/IIS) which we licence to others. Up till now it's been hosted within each organisation that used it and the security consisted of "if you're able to access the intranet you're able the access the application".
I'm now looking for a way to host this app externally so that other organisations who don't wish to host it themselves can use it (each new client would have their own installation).
All user in the new organisation would have a client cert so what I'd like to do is use the 'Require Client Certificate' stuff in IIS. It allows you to say "if Organisation=BigClientX then pretend they're local userY".
What I would prefer is something that says "if Organisation=BigClientX then let them access resources in virtualdirectoryZ otherwise ignore them".
I would be very happy to buy an addon (perhaps an ISAPI filter ?) which would do this for me if that was the best approach. Any advice / war stories would be welcomed.
You likely want to do this. client certs are really intended for a second factor of authentication, but not the primary source. To say it differently, you still need to configure your app for basic or forms authentication.
The technology behind public/private keys is rock solid. However, you need a very mature IT organization who is dealing with certificate lifecycle management. If you do not have this, you will get untold failure scenarios because the certificate was expired, wasn't copied to the new computer, etc.
This is especially true in your scenario where your application is internet facing (in thee 'hosted' scenario) - you have little control about the issuance of the certificates to your users.
I've done something similar...
Generate the certificates internally from your org's domain controller. Export them both as PFX format for distribution, and CER format for you to import in IIS.
Distribute the PFX format exports along with the CA certificate for your DC, so your customers machines will "trust" your CA.
Now in the app properties IIS, go to the Directory Security tab, and under "Secure Communications" click "Edit". In there, click "Accept client certificates", "Enable Client Certificate Mapping", then "Edit".
Under the 1-to-1 tab, click "Add" and import the CER file. Enter the account you'd like to map this certificate to.
As for the "let them access resources" I'd advise doing that by the user account they're mapped through - that is, you can provide access to resources based on that account either through NTFS permissions, or through code by identifying the security context of the logged-in user.