Now, Fear Java
By Carlo Longino, Mon Oct 04 23:00:00 GMT 2004

Security "experts" say J2ME apps are the latest security problem for mobile phones.


First it was bluejacking, then the proof-of-concept viruses. Now mobile Java applications are something to worry about -- never mind the "security risk" is a feature for which developers clamored. The organizer of a Malaysian security conference says that a hacker could "maybe read your address book or even eavesdrop on a conversation," according to the BBC.

It sounds like the enhancement in the latest version of the J2ME MIDP specification, which gave developers the long-awaited ability to access a handset's telephony features, allowing them to build richer applications like connected games and branded content portals, is the supposed problem. So of course by providing this capability, device manufacturers are opening the possibility it will be misused. But to write it off as a security problem is to ignore its greater potential utility. After all, if PCs couldn't access the Internet, malware wouldn't be much of a problem, but not too many people are choosing to unplug their Net connections out of the fear of having somebody snoop their IM conversations or hijack their e-mail address book, given all that that Internet provides in return.

A McAfee representative says that users should start asking their carriers for more protection, the obvious unspoken implication being that would spur operators to buy more security and anti-virus systems. Of course, like the viruses before, the key difference between the mobile and PC worlds are that infection, self-replication and transmission aren't nearly as easy on a handset as a connected PC. This isn't likely to change significantly any time soon, either, but as long as users -- particularly in the enterprise -- are convinced the threats are real, the anti-virus industry will come up with solutions to sell them.

But the bigger issue is how these perceived threats and generally unfounded security concerns will affect the future of the mobile device. A device connected to a wide-area data network, at least a device that's got anything more than the most basic functionality, will never be invincible. There already exist a number of protections built into various points of the mobile software ecosystem, although some of them, like signing applications, generally go ignored. The solution is to utilize those protections, and security improvements mobiles and networks have over the typical Windows PC, to protect users -- not to strip out functionality and utility because it introduces the possibility of problems.