CAP file is a common binary redistributable in the Java Card world which contains all required information for a smart card manufacturer to be able to upload the third party application onto the SIM and deliver the final product. Such scenario is quite common for mobile applications which are usually provided by one smart card vendor or by an independent company and distributed to all vendors wishing to deliver SIM cards to an operator or just to take part in a preliminary testing. Therefore, quite often such an applet may fall into hands of competitors. Owing to the growth of the Java Card application market and the increasing size and complexity of the applications itself such thread should carefully considered.
It is known that interpreted Java byte codes are quite vulnerable to reverse engineering attacks which can be performed even with the open source java decompilation tools unless the compiled code underwent obfuscation. Standard Sun’s converter normally employed for CAP generation works to a great extent as an obfuscator hiding class and field names as well as method signatures. Nevertheless, a CAP file generated by a common Sun’s compiler and converter can be reverse engineered and in most cases will remain compilable.
A proposed by the authors CAP decompilation technique is a two stage process. At first step class files are reconstructed from the original CAP using the reversed procedure followed by the common converter, then, source codes can be recovered using available open source tools such as JAD. The reconstructed code misses original class, method and field names and its analysis itself can be a challenge, however, it can be used for certain operations. The proposed technique is sensitive to java compiler and converter versions used for the original compilation. Therefore certain counter-measures implemented in the converter such as flow or stack operations obfuscation can prevent from the correct code reconstruction.
The presented results demonstrate that vulnerability to reverse engineering attacks should be seriously considered by Java Card developers intending to distribute their applications to the third parties especially for Java Card 3.0 platform.
A blog where we would like to discuss issues related to wireless and internet security and provide insights into our products, services and the company life.
Wednesday, July 29, 2009
Friday, June 26, 2009
Developing real-world smart card web server applications
Cellnetrix took part in the 2nd Comprion technology day in Paderborn, Germany with a presentation related to smart card web server technology. You can check out the presentation Developing smart card web server applications
Friday, June 5, 2009
Cellnetrix will speak about its first experience on SCWS service development at 2nd Comprion technology day on June,23rd
Smart card web server technology is gaining momentum and becomes more and more important both for mobile operators and the mobile services community. First mobile handsets supporting this functionality appeared on the market. Although it will probably take 1 or 2 years until there is a significant subscriber base with the right phones, SCWS service development should be strongly considered already today. Cellnetrix as an expert in mobile security and smart card software will present first results of SCWS services implementation on the 2nd Comprion technology day in Paderborn, Germany, on 23rd June (http://tinyurl.com/oufuer).
Tuesday, May 12, 2009
Cellnetrix starts its own blog
At last we have managed it: found some spare time and started our official blog where would like to speak a lot about smart cards and secure devices, secure gadgets, their applications in various domains, first of all, in mobile communications and in Internet which our company focusing on.
We intend to share more information on our products and services, give unbiased view (why not!) on the latest industry developments and provide some insights into internal company life.
Security is becoming more and more important in those spheres where it is most required such as wireless mobility, on-line services, corporate/business applications. Not pretending to give a final solution or recipe we will discuss those issues from different aspects trying to understand where we are going and to find an answer together.
Any comments or ideas are very appreciated!
Vladimir.
We intend to share more information on our products and services, give unbiased view (why not!) on the latest industry developments and provide some insights into internal company life.
Security is becoming more and more important in those spheres where it is most required such as wireless mobility, on-line services, corporate/business applications. Not pretending to give a final solution or recipe we will discuss those issues from different aspects trying to understand where we are going and to find an answer together.
Any comments or ideas are very appreciated!
Vladimir.
Subscribe to:
Posts (Atom)