Michael Voong HCI Researcher @ Birmingham University

Java Verification? Not For Me!

Apparently, the Java ME code verification system is a joke. One developer has said that if you want to use anything other than the buttons and screen, you need your code signed. All of this was supposed to make code signing in Java ME centralised, being based upon impartial third parties like Verisign, Thawte, and others, but now some carriers (particularly in the US) have implemented their own certification processes, which defeats the point of having a centralised verification service like the Java Verified Program. Cingular’s lock-down in the US is a prime example of this evil - developers can only use the Bluetooth API (JSR-82) if you’re an enterprise partner with $1000 to spare for Cingular to test your application. JSR-179 (location services) is banned altogether. “PIM, SMS, and internet connectivity services are also heavily restricted, with most things requiring at least a 3rd party cert ($500 or so per year) to use.”

Here’s how it goes for the poor developers who want maximum market penetration with their app, but are locked-down by carriers. To get your program verified by the “official” verification system - Java Verified, you need to pay an independent testing lab. For each bug fix release, you need to pay them to re-test. Your Java Me application can get around the security dialogs once it’s verified, but as soon as you want to release new versions you can understand that costs build up. Read more about the signing process here.

Bedroom developers, and freeware developers need to start charging to maintain useful applications - not an ideal way to encourage innovation is it?. Google chose to not bother signing their Google Maps for mobile application, as a testament to how bad the whole process is. I can understand that you need to go through a complicated process to allow application developers to access your personal information and phone numbers, but what about bluetooth access? How much harm can be done? Even so, what about giving users the choice to silence all future security dialogs with a “remember my decision” option?

Alas, when the restricted APIs are used in research in the UK it isn’t so bad - we don’t have operators like Cingular here. On the Nokia and Sony Ericsson phones I have tested the security dialogs only appear when you start the program. For the purposes of my experiments, I can just tell users to pick “allow” every time, and the problem is solved. I don’t really need to sign my applications.

More reading and good summary here: How Midlet Signing is Killing J2ME/

Will the official iPhone SDK approval process have the same problem you reckon?

Yeah I’m pretty sure it will. The platform will no doubt be extremely popular, and keeping personal data open to developers to upload freely over the internet will be a big no-no. Especially as all iPhone tariffs have unlimited data - Apple don’t wanna have trouble with AT&T from apps that use up far too much data!

Let’s hope they relax it all a little so it isn’t too bad…

I figured that the whole “allow this app to use the Internet” was just a mechanism allowing me to say “woah, no thanks!!!” if I’d got a game or something and it’s secretly doing internetty things or SMS or whatever.

Anyway, I dunno about your ‘one developer’ but I’ve made a few and it’s not too crippling. But yes, if you want to use the Internet or whatever it will ask. But as a user of Gmail and Google Maps on my phone, I’m perfectly alright with selecting yes once per session. But a ‘remember’ would be good!

Also, this theme is painful to read on the comments section.

Fixed. Tnx