All Permissions Should Be User Assignable

[SteveW]

I think all permissions for Midlets need to be user assignable, i.e. the user should have the authority to decide whether or not an untrusted Midlet has 'always allow' permission for each and every activity.

It's very frustrating to be able to write your own apps for your own phone and not be able to give them permission to run unhindered by irritating dialogues without involving some third party.

This situation also makes Android a more attractive platform if you're making a bespoke apps for a companies own internal use.

[r2j7]

Hello SteveW,

are you referring to Java ME in general or Nokia devices which support Java ME in particular?

From Nokia devices' perspective, all the latest Series 40 (since Series 40 6th Edition, FP1) and Symbian (since S60 3rd Edition, FP2) devices support end-user interaction for configuring the security settings of 3rd party signed Java ME applications during application runtime (including setting 'Always allowed' for most of the permissions). Furthermore, the Nokia devices include optimized Nokia security policy for unsigned Java ME applications which effectively means significantly reduced number of security prompts per an interaction for most function groups as by default. More about the Nokia security policy on Java Developer's Library:

Java Developer's Library 3.11 > Developer's guides > Security > MIDP security > Appendix A: Supported Security policies > Nokia security policy

http://library.developer.nokia.com/i...EBE86A60D.html


In addition, the latest Symbian devices allow setting the 'Always allowed' during application's installation. More on Java Developer's Library online:

Java Developer's Library 3.11 > Developer's guides > Security > MIDP security > MIDP application security in Nokia devices > Installation time security

http://library.developer.nokia.com/i...F21D905D9.html

Regards,
r2j7

[SteveW]

Hello r2j7, thanks for your reply

are you referring to Java ME in general or Nokia devices which support Java ME in particular?

Well I'd prefer it if it were standard J2ME behaviour but I'd really like to see NOKIA implement it even if it's not.

Java Developer's Library 3.11 > Developer's guides > Security > MIDP security > Appendix A: Supported Security policies > Nokia security policy

http://library.developer.nokia.com/i...EBE86A60D.html

Thank you for this link, the point I was making is that the 'Always allowed' option should be user assignable for every 'Function group' even if the midlet is in the 'Unidentified third party domain'.

So long as the user has to make a conscious decision to assign those permissions I don't see a reason not to offer this option. Java is managed so there shouldn't be any risk to the functioning of the device, the only risk is the users and it is the user who is assigning the permission.

In my opinion removing this restriction of what the user can do with their own device would increase the appeal of Series 40.

[r2j7]

SteveW, thank you for the clarification, much appreciated.

In addition to this discussion board thread, for the suggested security policy enhancements you might also want to use the Nokia Developer tool online for submitting feature requests: http://www.developer.nokia.com/bugs/...ture%20Request

Regards,
r2j7

[hartti]

No answers, just some additional comments :-(

First off, Java ME specification does not allow that, so the specification would need some revising. That change would need to trickle down to the devices (after the change has been done) and that that would take some time. And that would not change how the old phones would operate (some would possibly get the fix through a firmware update...).
Secondly, some Nokia and other manufacturers' phones are sold through operators which are limiting the MIDlet's capabilities even more than what the Java ME specification defines (AT&T, T-Mobile, Sprint, etc..) - so changing all the above would not change the behavior on all Nokia phones..

My personal opinion follows: The security policy has been an issue for more than 5 years now. I do not see any major change to happen for it now or later.

Hartti

[SteveW]

Hello hartti

My personal opinion follows: The security policy has been an issue for more than 5 years now. I do not see any major change to happen for it now or later.

I tend to think you're right hartti, I don't have much optimism for a change actually happening.

Beyond being a nice mobile I could see the new Asha 303 being quite a useful piece of hardware for companies or home automation enthusiasts. Having a qwerty keyboard, touchscreen, WiFi and TCP sockets on an affordable, easily programmable device that you can put in your pocket has some real potential - but those irritating dialogues :¬(

Oh well