Overview

In Series 40 devices using MIDP 2.0, files stored in Record Management System can be accessed via external tools, such as a PC.

Description

In MIDP 2.0, the RMS record stores were designed to be robust/secure from a MIDlet-to-MIDlet perspective. Using authorization mode it is possible to determine whether other MIDlet suites have access to the record store.

However, the defined security design does not make RMS record stores safe against other forms of external access. RMS uses file store and was not designed to be secure against access tools which can be used via PC to access files containing discreet data, such as DRM keys.

Solution

Avoid using RMS record stores for storing sensitive data, such as DRM keys, with Series 40 devices using MIDP 2.0 and 2.1.

To improve the described RMS security deficiency with MIDP 2.0, the upcoming MIDP 3.0 specifies RMS encryption control.