Regarding “Long live the iPhone!”

By all means, but you can’t access anything in the phone via web applications like you can via MIDP, Symbian etc.

I’ve tried to strike a middle ground: I develop mobile applications (not games) but I don’t certify. Instead I try to avoid the most warning-intensive functions, like file access etc. E.g. it’s possible to make an application that accesses the Location API with only one warning during start and then none. Same with camera etc.

I wrote a similar post a few months ago:

http://www.spenceruresk.com/2007/05/26/the-hidden-problem-with-j2me/

I agree completely - signing is basically killing hobbyist and open source development the way carriers currently use it. This is unfortunate because there are so many cool things you can do with J2ME in theory.

I don’t see why you are cheering for the iPhone though - it locks out all development basically, and they are being exclusively offered through AT & T, who is one of the operators using signing to keep small players out of mobile app development.

Thanks for your comment Anders!

I’m aware that the iPhone suffers from hardware problems… I was meaning this as “I hope Apple cut into the pockets of the people who did this to us” rather than “the iPhone is a wonderful development environment”. I certainly don’t think the iPhone is a good mobile development environment

Good point about the camera phone… but I’m afraid the location API is not as forgiving. If you check the Motorola specs you’ll see that MMAPI (camera phone) requires user permission, but Location API requires a signed MIDlet and permission.

It’s also very annoying that user permission is not persistent across sessions… but that’s another rant for another day.

I’ve tested on Nokia and Sony Ericsson phones and Location API only gives off one warning the way I use it, and after that it’s smooth sailing, even though I read out coordinates constantly, so the Motorola behavior is not universal.

Thanks Anders… that’s interesting to note and also more proof that the security policy destroys any hope of device homogeneity that J2ME gave us.

I agree that when the midlet is signed (no matter by who) it should stop the prompts. Users should assume the risk if any.

The sentiments are absolutely spot on, though you have rewritten history a fair amount to improve the narrative flow Saves me the trouble of writing a similar post, I gave up on code signing when I first tried it 3 years ago as it was immediately clear that it was a nice idea that had been destroyed by the greed of operators and some manufacturers (Moto are bad, others are better).

It’s worth noting that not every API you mention requires code signing to work - WMA works without on pretty much every device. The user does get asked for permission before doing things like sending an SMS, but that is a sensible security requirement IMHO.

Hi,

I have a J2ME application, also I have got a certificate from Thawte, but when I run the application on certiain Nokia devices, it prompts me for certian permission. Can you explain me what can be the exact reason behind this.

Suryavardhan Agrawal, I think you just proved my point.

Situation is quite similar in Symbian with native applications: http://www.ivankuznetsov.com/2007/08/symbian-os-platform-security-good-or-evil.html Certification was a nice idea, but as they say the road to hell is paved with good intentions.

Surely its obvious that the future of software / application development is in mobile devices.. and then doesnt it make sense to feed the need by creating easy paths from concept to market. The only way that this kind of developement can thrive is for security levels to be REDUCED (exactly as they are on the PC) and allow the user a choice whether to trust a piece of software or not (potentially signing could be a criteria .. but in a more productive way). We are currently developing software that requires extensive use of jsr-75 (file api) .. you can imagine the absolute stupidity of 2 questions for every read / write operation .. my word .. LETS MOVE FORWARD.

What I really ‘love’ about signing J2ME apps is that the certificate is only valid from the date you bought it (not valid for the past). So _even_ if we manage to get past all the problems mentioned _and_ we’re willing to accept that the user is still going to be bugged by a certain amount of security questions, if the user didn’t set the date on their handset (not that unusual, people generally use their handset for the time only) and it defaulted to something like 1st Jan 2002, the certificate will not be valid and the user gets a nice friendly “install failed” message which makes us look great! (I asked verisign once to sell me a certificate that was back dated by 10 years but they couldn’t do it.)

I never realized how bad it was, given that I only develop for the BlackBerry. On the BlackBerry, you basically have signed and unsigned APIs. (and can do quite a bit with the unsigned APIs) To use the signed APIs, you just have to fork out $100/year to RIM, that’s it. I thought it was annoying, but now I realize that I should be grateful for it.

Yes, I do write an open-source non-game application for the BlackBerry. I’ve been doing everything and anything to avoid a signing requirement, simply because of the implications it would have for an open-source project. I know I’ll have to bite the bullet eventually, though.

“Java Verified Program” Is realy bad, you can’t get certifcation before test and you can not do real test on many devices without certificate. Some phone manuafactures doesn’t let you to import your certifcate to thier device.

I think is time to open source community find a way to issue developer certificate free or with a low price.bore J2ME died.

It really is that bad. If you want to read some first hand J2ME experiences and tips, see http://www.j2mesecrets.com where I tell the whole sorry story.

Axiom:

Those who have the authority to make J2ME a very exciting and cutting edge platform have behaved like a bunch of useless and intellectually deficient muppets. The result is much J2ME innovation and open source contribution has been totally killed through a combination of human stupidity and greed of opportunistic companies charging to verify and sign applications.

Does anyone from the J2ME standards committee or companies that charge extortionate fees for testing and signing J2ME applications have anything to say about this Axiom?

We want to know!

J2ME, in my opinion, is going to die over the next few years. It might have an enormous market share but the cost structure is too high due to : porting costs, testing costs, signing costs, and the need to hire someone full-time to pander to the carriers. BREW is messed up because it still has high porting and testing costs (not as bad as J2ME but still bad). Plus the way Qualcomm has set up the business model makes it very difficult.

Windows Mobile, Symbian, Android, and potentially the new iPhone SDK are much easier to develop for because:

• they are easier to port to multiple devices of the same OS
• provide far more hooks into the native OS and other applications, allowing for more compelling applications.
• having easier signing requirements
• Allow for clean upgrades of a binary for version updates/bug fixes.

FlashLite, unfortunately, seems to be far behind in what it can offer.

Man I don’t know how the mobile development world got so ugly. I hate to say it but I wish it was like the PC world where you just have to create Windows and OS X, and perhaps a Linux version — and you’re done.

Why should you have to have a certificate on a phone, but not on a PC?

Hello Sam,

Several comments:

• first, glad that you like MIDP2.0 Game API, as I was higly involved on it in my previous job (In-Fusio/CTO, where In-Fusio “donated” his Game API to the Java community

• concerning security: it’s even worst now with Symbian 9.0, where you CANNOT deploy any app without being signed! In this regard, MIDP security model is like a dream! This require end user to sign himself, on the web, with his IMEI…Who will do this?

• let’s hope that androids will drive things in the right direction. Not because this a new platform, so more fragmentation, but because JavaAPP are first class cityzen. So let’s hope that security model will be much more open and useful.

Last thing, I’ve been here through the OpenLAPI library, I’ll take a look at it, to eventually replace the code produced with my app, 8Motions ( http://www.8motions.com ).

One idea, use CellID as a location provider: http://www.opencellid.org

@Tomsoft thanks for your comment!

CellID is certainly something I’ve looked at quite a bit. Problem is that you can’t get the CellID on anything other than old Motorolas and Sony Ericsson. Motorola allow this iff your MIDlet is signed by Motorola (UTI isn’t even enough!).

I’ve also even investigated getting the CellID from the CBS headers, but J2ME strips them out! I was actually only able to find 2 CBS channels in the UK anyway, and both were on Vodafone networks… so that killed that idea.

Even then, you still need a reverse lookup database on the device or over the network. In the UK there has been some legal action prompting Ofcom (the industry regulator) to open up its database. This was recently appealed, but the appeal was crushed. Most of the network providers have since retracted donating their databases to Ofcom. There are community projects to map the CellID terrain.

I believe that you, like many people in the community, are exaggerating. 1. Does a question about a permission here or there really stops an end user from using an application? 2. You can make it less painful if you let the user know that they will be asked for a permission and that they are supposed to say ‘Yes’. 3. You can make as many alternatives as possible. I.e. let them use FileConnection JSR-75 to access a file, BUT still make it possible to access the file from outside the application.

/Yar @ YarMobile