Skip to main content

Permissions, certificates, and devices' questions

5 replies [Last post]
Joined: 2008-07-04

Hello everyone on this nice forum,

I'm an yet small developer and I'm finishing a pretty big J2ME application targeted at 'any phone that can handle it' ;) - basically any MIDP2 mobile phone. The app is free and will be accompanying a website, actually being the strongest unique point of the website.

The app uses extensively and requires:
- HTTP connections
It uses, and is happy when a mobile phone supports:
- JSR-135 - taking pictures with the camera
- JSR-75 - File Connection, browsing directories and reading files
- JSR-205 - WMA 2.0 and sending MMSes.

Now, obviously, mobile phones ask a lot of questions when performing any of the above operations. I don't even know who to blame for it (I believe, it is up to the user to run any program they want), neither I have time for such blaming.

Question: What is the best way to go around it?
- wrap those questions with an alert saying ' when your mobile phone asks you.. say yes' etc. - this is the way I'm doing it now, I'll admit
- get / buy a certificate like Verisign, Thawte
- get Java Verified (I have to admit that the prices there just scare me off)
Again, I'm not targeting my app at any particular mobile phone, just any phone. And the mobile networks here seem not to be too restrictive, as far as I know.

I'd be happy if this started a brainstorm of ideas ;)
I've browsed the forum, and Internet about these issues, but there seems to be confusion and frustration. Let's be constructive.
thank you for any replies.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Joined: 2008-07-04

Thanks everyone. Now, this is what I call a well answered thread. ;)

(Anyway if anyone wants to add anything, please do.)

Joined: 2003-06-15

The operator is who sets the defaults on what gets the warning messages, and they also are the only ones that can sign an app to avoid those messages (or they can provide a 3rd party the ability to sign it). You can ask the user to select options for your app and set them to "approve and never ask" but this is not available on all phones.

Since the Mobile Developer Alliance has not gone beyond an idea that seems to have died there is really no pushback on the operators to change this, nor is Sun doing anything to help with this issue. However these messages are mostly for the safety of the phone user, so I think your first option may make the most since, and will certainly be the most cost effective.

We can only hope that Android rectifies this issue of needing costly signing certs, much like Apple, and RIM have already done.

Best of luck

Joined: 2008-07-04

Thanks Shawn. I've been thinking..
Will signing my app with Verisign increase the number of possible options for the user to set - i.e. 'Don't ask' and 'Ask once'? I've noticed that some of the options do not exist or are greyed-out when running my unsigned MIDlet.

I know that not all certiuficates are present in the 'root' of the device but I believe the more options for the user the better. There can be a signed and unsigned version of the MIDlet available.

I'll also talk to the operators here and see what they say. Not that I necessarily expect much but anyway I'll do it.

Joined: 2004-03-04


To expand on what Shawn said:

I think the most effective is to follow multiple approaches.

1. Many modern phones allow the user to customize security settings for a particular application. It's not very user friendly and you need to provide instructions but it is the best option in terms of functionality and cost (for you). Signing the application in this case typically adds the option of "never ask" in addition to "ask once" ... so this might be desirable depending on your situation.

2. Signing with Thawte or Verisign may not buy you a whole lot since many phones don't recognize applications signed that way as being the the "3rd party trusted domain". The UTI cert by Java Verified has much more reach as it is currently in over 300 phone models. But I agree, the Java Verified cost model is not ideal - however, you may want to check with them as I believe there are making changes to the program.

How do we get this fixed? The problem is that what is happening in this space is that some (not all) device manufacturers and operators are using security mechanism to impose business models on developers. So it's a business problem, not a technical issue. And these are harder to solve - especially in a consistent manner across the industry.

As Shawn mentions there is the idea of a non-profit Developer Alliance that could create some pressure on the industry to address some of these problems. But the devil is in the details and the Developer Alliance has not taken off just yet.

Sun is also involved in working a number of these issues behind the scenes - as announced at JavaOne and you should hear more over the coming months. But due to the nature of the problem don't expect quick and easy fixes ... ;-(

-- Terrence

Joined: 2005-01-11

Hi yarmobile,

We hosted some signed applications (Verisign certificate) for a while but in the end decided it wasn't worth the effort.

Most of the SonyEricssons and Nokias we tried included the route certificate, but not the Motorolas or the other handsets we tested.

Quite often we found that even though the app was signed, the user still had to manually configure the phone not to ask questions after install and most user's had no clue about this and continued to answer the questions anyway.

Also quite a few users did not set their handset date since the last time they removed the battery so the date defaulted back to Jan 1st 2001 say and the certificate looked invalid as the date was out of range (this was in about 2005). We tried but couldn't get post dated Verisign certificates.

The last nail in the coffin though was the ungraceful way most phones failed, if there was no route certificate or some other problem, the user would just get a message saying "Fail" during install.

Nowadays we just don't bother with the signing process, happily some handsets are starting to deal with things slightly more sensibly, the Nokia 6300 - lovely phone :) only asks about HTTP access once and then remembers the response during the session unlike the Motorola KRZR which asks the same question every 5 seconds like some demented toy.

For the KRZR and others like it we do try to minimize the number of requests, for example if we need to download 5 images, we'll squeeze the data into one request and extract the images on the handset from the binary data.

Hope this helps, good luck with it