Location API security limitations?

[jkirma]

Documentation regarding the security policy applied to Location API (JSR 179) is pretty vague. If I want to run a location tracking application, is it feasible with unsigned midlets, that is, can permissions be granted for whole session at runtime? What if GPS device goes offline/out of range during tracking and reappears later? And how this compares with third party signed midlets?

(It's interesting to note that user can permit midlet to always use Bluetooth, which is more awkward but essentially the same service when we're talking about GPS-based location tracking... quick look at some of the phone manuals suggested that there's no separate security setting for the location API on phones that support the API.)

[hartti]

According to the spec (JSR-118 addendum), you can change the settings for location API use to "session" also for unsigned midlets. The default is "ask always".
For signed the default settings is "session" and also "blanket" should be available (for the user to change).

Hartti

[jkirma]

Java application settings (for instance, on E70 documentation) don't mention anything about changing permissions for Location API access. Other examples and documentation on the Nokia site don't elaborate it either, nor the JSRs specify explicit policies, just that the JSR-118 security framework should be applied. This is the actual issue I'm pondering - I guess I have to get a real device, test it, and hope that the API works consistently on both S60 and Series 40.