j2me MIDP: detecting if phone has a data plan - java-me

Is there a way to determine what kind of data plan a device has so an app provides a less rich experience if a data plan is not available? I imagine the connector factory would still be able to return me an HTTPConnection but it would cost the user serious money for lots of data, and I'd like to be nice and prevent that.
I thought there would be a way to query device capabilities in the MIDP API, but maybe it's in CLDC?

Since you mention it in your comments, you can probably make a Symbian OS C++ application that only connects via a specific set Wi-Fi access points (and just stay offline if none of these are available) but I can't think of a way to figure out the current user data plan or whether a given Wi-fi network is free.None of that is available in J2ME, at least not until something like JSR 307 is implemented.
You might want to look into how the Nokia IAPInfo API behaves on actual phones (including Sony-Ericsson and Samsung Series60 phones, potentially) since it is the closest thing to what you want.

No there is no way to do this.

As far as I know there is no way to do this. To address this precise issue, on first download we provide a big bold letter warning saying our apps require data plan. You can do something similar.
Or you can provide an option on first download for the user to say whether he has a data plan or not, and provide a degraded user experience if he doesnt. Dont forget to keep this as an option in application settings and allow the user to enable data services later, as he/she may get a data plan and want to use your app.

Related

Linux Desktop User Agent Regular Expression?

Does anyone know a good catch-all for Linux user agents? I have a scenario where I need to block Google Tag Manager tags from firing for Linux users. The goal is to prevent Linux data from reaching Google Analytics. I don't want to impact Android users. I expect I could do something where I match on Linux while doing a negative lookahead for Android, but I'm not sure if I will be missing some scenarios. Any recommendations?
No need to limit yourself to a trigger based on a built-in variable. In this case, you want to actually have a CJS variable that would take into account not just the useragent, but the viewport too to make sure mobile resolutions would be exceptions from any useragent-based logic you have.
And since we're on JS level now, no need to try and fit all logic in one regex.
As a precaution, you can build a user-agent report in GA comparing a time period before your change to the time period after your change. GA will graciously highlight losers so you'll see what adjustments to your logic are to be had.

Prevent from screen recording

I am working on an educational e-commercial website .. In which the user need to authenticate and then the videos on particular topics will be available.. so how can I prevent my video to be screen-recorded...
Different OS's and applications support different mechanisms to try to tackle this - for example:
Microsoft Edge on Windows 10 uses integrated 'Protected Media Path' for encrypted content which will stop simple screenshots working
Website and web app developers may use a number of CCS 'tricks' to achieve a similar affect, although these can usually be workaround with standard web developer and debug tools.
Mobile video typically uses protected memory for encrypted content which will usually give a black screen on capture.
As mentioned in comments and other answers these are all 'barriers' but they don't make it impossible to copy the content - the best example being pointing a camera at the screen a copying that way.
The idea is generally to make it hard enough compared to the value of the content so that people are not prepared to invest the time to work around your barriers.
It is not possible, for a variety of reasons:
There is no Web API for that.
Even if there was, it would be possible to reverse engineer the browser/OS to allow for screen recording.
Even if, for some reason, you couldn't access and modify the software running on the computer, you could connect the computer to a capture card instead of your monitor.
And if you also couldn't do that, you could just point a camera at the screen and start recording.

Google Glass First App Security

We are creating our first google glass app and I had some security questions that came up that I can't seem to find a definitive answer to on the web. They are as follows:
What apps are available for us to be able to wipe the glass (factory reset) remotely if they are ever misplaced or lost?
Is there an app or a way to automatically wipe the glass maybe at a certain time everyday of the data that is one them?
When we do a factory reset, is the data securely wiped from the device? Or like a PC is the data still there for possible usage if the device memory is hacked into directly?
If we pass data over the network, is it passed using some sort of encryption currently? Or do we have to take this into account when developing our app?
Is there a way to allow multiple people to use the device without having to wipe the device and setup with another account? The only way we were able to login using 2 different accounts was for the first person to factory reset it and allow the next person to login using their account. What we were envisioning was a way for the device to securely authenticate and allow multiple users to use it differently somehow without having to reset it.
The only current way to lock the device that I found is to create the swipe/tap pattern that is included. Are there any apps that allow for a more secure type of login?
If anyone can help on any of the questions, that would help out a lot.
Thanks!
The MyGlass webapp and mobile app allow you to do a remote device reset. From the mobile app, you can go to Settings while the webapp does it from the MyGlass -> Device Info page.
There is no way to do an automatic reset every day that I'm aware of. What are you trying to do here? Just reset it to a known state every day for development?
At this time, you probably can't count on it being a secure reset.
This is a pretty vague question. Google hasn't provided details on the sharing protocol, but it is a safe bet that this is done using SSL on some level. From their servers to yours using the Mirror API must be done using HTTPS. Of course, if you're doing the network data passing yourself, then it's up to you.
No, this isn't possible at this time. Glass is a very personal device. More so than phones, and most phones don't have a profile feature!
I'm not aware of any, but I'm not sure how much more secure you can get and still be usable. Can you elaborate on what you're envisioning?

Creating a simple mobile agent system

I am looking to create a simple mobile agent system which will deal with 4 tasks, i.e 4 different mobile agents jobs: Database update, meeting scheduling, network services discovery and kernel update.
I have done my research and have seen different frameworks such as Aglet, Jade, agent builder etc. My question is which one should i use? Also i need to setup the base code for it to work, can someone point me to a site or help me to setup the basic functions of the mobile agent?
I've read about tahiti server for the Aglet model. I'm quite confused about how to set up the mobile agent system. Any help would be much appreciated.
I have also tried to it using RMI. I had created a method of type agent, but i couldn't pass it through remote method implementation. I was reading about tcp and udp socket programming. I was thinking may be it would be more fair to do it using socket programming. In this case, would this be called an agent? I was thinking about the server sending datagram packets to multiple clients.
You need to ask yourself why you want to use mobile agents at all. The notion of a mobile agent was popular in the agent research community in the early 90's, but fell out of favour because (i) it wasn't clear what problem it was solving, (ii) the capability to allow arbitrary code to migrate to a particular computer and execute with enough privileges to access local data and services is very open to abuse, and (iii) all of the claimed benefits of mobile agents can actually be achieved though web services (REST or otherwise) and open data formats such as RDF. Consequently, few, if any, mobile agent platforms have been properly maintained since the early experiments.
It also sounds as though you need to be clear which end-user problem you want to solve. Scheduling a meeting and updating my kernel are very different tasks - I'd be very uncomfortable with a program that claims do both. If your interest is in the automation of system maintenance tasks, such as DB tuning and kernel patching, on large networks you might want to look at the SmartFrog project, or read up on autonomic computing.
I use JADE and I agree with the first guy, agent systems usually take alot of overhead to going so if you can avoid it, please do. If however you choose to proceed choose a platform with alot of support and a big user group.
Jade has some neat features like a directory facilitator DF, which works like a yellow pages so other agents don't have to know what agents are running and what services are supplied they can simply inquire by the DF.
Also JADE ContractNetBehaviours help simplify communication.

what is the simplest protocol to securely tether a hardware device to a network?

After the Sony PSN debacle, I am trying to find examples of secure hardware tethering to a network. There are two use cases in particular:
1- computer downloads a piece of software that then uniquely and securely labels it to a cloud service
2- a hardware manufacturer uniquely labels a hardware device that then negotiates membership on the network.
Given the fact that the hardware device might have to change (revoke or service enhancements) it feels like #2 becomes #1.
The broad outline is this:
- connect to the service via HTTPS to protect against man in the middle
- device generates a GUID and presents it via HTTPS to service
- service records GUID against account
- on success, service 'enables' device
But how do you protect the GUID so that it cannot be stolen?
I just wanted to comment here:
Sony's PSN issues started with horrible practices with regards to their QA environment.
First, they defaulted to trusting anything that was sent to those servers using their developers toolkit. The reason they did this was that the dev kit used to cost upwards of $10k US and therefore they thought anyone who paid that amount would be on the up and up. However, when they radically lowered the price things changed externally and they didn't account for it.
The second issue with PSN was that the security between QA and live was, well, weak at best and easily circumvented. My understanding is that you could send commands to live using QA credentials. Because QA credentials were used, all chargeable actions were approved without money changing hands and the actions were applied to live accounts. When several people told Sony about this they did nothing.
A third issue was a reliance on hardware based encryption keys. Even hardware encryption keys installed on the devices can be figured out.
Point is, Sony dug their own grave on it so I wouldn't use anything they did as a template for how to do things. Heck, a lot of their websites were open to SQL injection which in today's day and age should get you fired.
Another example here is the iPhone. Each iPhone has a unique identifier that installed apps can grab and send back across the network; similar to a serial number. Some apps use this ID to try and tie a particular device to a person. However, it's trivial to create ID's and broadcast them, so this hasn't worked out so well for the partners. Also Apple does not expose a way to ensure a given ID (UUID) is valid to app producers.
A third example is mobile phone carriers. They use a particular ID baked into your SIM card to identify your account in order to know who to bill when a call is made. This ID is verified whenever the phone checks in with the network. However, we're dealing with radio signals and any device that can broadcast a correct ID can gain access. Point is, honest people think that only AT&T approved devices can get on an AT&T network. Reality is, anything can but they are going to bill the owner of the particular ID...
That said, any software you have running on a remote device that is not under your direct control is likely to be hacked. The popularity of the device will increase the likelihood of it happening sooner rather than later.
Where do we go from here?
On a basic level you associate an ID with an account in your service. PSN, Apple and others have done this. When an ID is broadcast, you need to verify that it exists AND that it's tied to an active account. If both pass then you have two options: either perform the action requested OR request additional verification.
For any actions that require money to be spent, do the additional verification (usually some form of username/password), capture the funds, then perform the action. Go one step further and every time a bad login is entered, send an email to the user on file. Further, automatically send a receipt. These are typically done so that your honest users can tell when something is going on.
Anything else just let through.
Bearing in mind, of course, that QA credentials should NOT work in your Live environment. Those systems should not be tied to each other under any condition and, quite frankly, should even live on separate hardware. In other words, QA and Live should NOT share a login database.
The thing here is that you shouldn't care about the device itself; just the account. You can't control the device as it's out of your hands; heck you can't even be sure it hasn't been physically tampered with. (XBox has been fighting this one with people adding resistors or burning out certain components to get past physical security features).
So, IMHO, do a bit to keep honest people honest but overall don't worry about it. Now, you should transfer everything via SSL or someother encrypted connection between the device and your cloud so that you don't leak ID's to anyone that wants to grab them. This will help protect those honest people.
Further, you shouldn't have a direct way to query whether an ID is valid or not from the outside. This will make it a bit more difficult for a hacker to find existing valid IDs and take over accounts. If you want to get fancy you could honey pot those and track the hackers down in order to sue them into oblivion, but that takes time and resources companies don't normally have. Also you could log all of the requests that contained bad IDs and use that to track hackers down.
Note that even after the device has been "enabled" I still suggest you have two levels of authentication. The first is for simple actions like downloading free content; the second kicks in anytime there is a fee associated. Again, we're trying to protect your honest subscribers.
For the dishonest ones you will have to apply some statistical analysis on the transactions coming across. Things like the transaction rate can help identify bots that are running and allow you to kill their IDs. There are others but they'll be unique to your application.
This was long winded. But my point is:
You can't secure the ID or anything else you pass out.
You can't ensure the requests are coming from your devices or your own approved devices.
You better take actions to keep QA and production separate for those building software for these devices using your services.
You better take actions to protect your normal honest users.
Trust NOTHING.
Due to the above you should evaluate your business model so that you don't care what device was used and instead focus on the individual accounts themselves; which you do have control over.
I am not sure I entirely understand the question, but I think you want some sort of device to hold on to a GUID assigned to it by a web service, and you don't want someone finding out what that GUID is, correct?
If so, there isn't a lot you can do. You have already mentioned one option... using HTTPS during the assigning of the ID. That is a good start, but remember that anyone who has physical access to the device can do a lot of things to look up this ID.
In short, it is impossible to completely hide. Someone can always reverse engineer it. There are folks out there reading data right out of memory with hardware.

Resources