Mobile phone Java risks 'minimal'

Source: Security Focus

Is wireless Java at risk from malicious code attack? The answer appears to be no - for vanilla Java 2 Micro Edition (Java 2 ME). But vendors' proprietary extensions are more problematic, according to Markus Schmall, of T-Mobile. He recently conducted a study of the security of Java 2 ME, using tests on a Siemens SL45 phone.

Java 2 ME is defined so that cross-loader functions are limited, maths functions are restricted and no file access is possible. This greatly limits the scope and number of attacks possible on mobile devices running Java 2 ME.

Schmall considered a number of actions which malicious code might take: accessing storage media, accessing internal memory, initiating Web connections and interfering with installed applications.

Although it was possible to freeze mobile phones with maliciously-constructed SMS messages and the like, its not possible for malicious code to replicate. Header manipulation vulnerabilities that lead to 'freezer' SMS exploits are due to problems with mobile phone firmware - not Java, Schmall concludes.

The few Java viruses extant (Strange Brew and Bean Hive) do not pose any risk for Java phones, he found. Strange Brew fails to replicate consistently, even on a PC, and Bean Hive relies on class loader functionality not used in Java 2 ME.