Feeds

Mobile phone Java risks ‘minimal’

There's a relief

  • alert
  • submit to reddit

Top three mobile application threats

Is wireless Java at risk from malicious code attack? The answer appears to be no - for vanilla Java 2 Micro Edition (Java 2 ME). But vendors' proprietary extensions are more problematic, according to Markus Schmall, of T-Mobile. He recently conducted a study of the security of Java 2 ME, using tests on a Siemens SL45 phone.

Java 2 ME is defined so that cross-loader functions are limited, maths functions are restricted and no file access is possible. This greatly limits the scope and number of attacks possible on mobile devices running Java 2 ME.

Schmall considered a number of actions which malicious code might take: accessing storage media, accessing internal memory, initiating Web connections and interfering with installed applications.

Although it was possible to freeze mobile phones with maliciously-constructed SMS messages and the like, its not possible for malicious code to replicate. Header manipulation vulnerabilities that lead to 'freezer' SMS exploits are due to problems with mobile phone firmware - not Java, Schmall concludes.

The few Java viruses extant (Strange Brew and Bean Hive) do not pose any risk for Java phones, he found. Strange Brew fails to replicate consistently, even on a PC, and Bean Hive relies on class loader functionality not used in Java 2 ME.

Schmall's tests apply only to Siemens phones. Separate work is needed to verify other mobile phones are secure. "J2ME on its own is relatively secure but you have to take care of proprietary extensions," he says.

So there's no particular cause for concern just yet, but Schmall said that the evolution of Java to MIDP 2.0 (which brings access to file systems and phone books to mobile Java) posing possible risks for the security of Blackberry devices. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.