Hi Brian,

good points, and they deserve answers:

1: serious browsers, operating systems and servers go through certification at some point, maybe not in their earliest release, but the certification process is deemed to be important enough for many to engage and take part. Governments mandate it for their most important systems.
Without standards bodies and 3rd party validation how should users know half decent security from Snake Oil?

2: Yes, the latest phones do have HTTPS, but with issues.
a) Most use RC4, which according to CERT Advisory 565052 shouldn’t be used.
b) It’s slow, requiring multiple connections to start a session. (between 6 and 20 times slower than EncryptME)
c) It can’t encrypt SMS messages.
d) In many cases root certificate problems prevent J2ME apps from using it.
I have posted more detail with references on blog.masabi.com if you are interested.

3: Bouncy Castle is a wonderful thing, but too big to bolt onto an application that wasn’t built around it, and wants to do significantly more than just encrypt. (about 1/3 of all the space in an application would be taken up by BC) Most of a mobile application developer’s hair is lost trying to make apps small enough.

4: Decent Random Numbers: a very good point Brian, and one that many mainstream “secure” mobile java applications fall down on, risking side-port attacks. If you download any of our applications you will find that just like the top PC security applications we always get the user to press a load of keys (or play a game) until we’ve captured enough real entropy to seed our approved Pseudo-Random Number Generator. Again, there will be a future blog.masabi.com post on this.

Thanks for asking such good questions Brian, it’s needed in the security world to make sure people know what they are getting, and discuss the important topics!

If you want to discuss it further you can get me on +44 207 981 9781 or ben (at) masabi.com.

good points, and they deserve answers:

1: serious browsers, operating systems and servers go through certification at some point, maybe not in their earliest release, but the certification process is deemed to be important enough for many to engage and take part. Governments mandate it for their most important systems.
Without standards bodies and 3rd party validation how should users know half decent security from Snake Oil?

2: Yes, the latest phones do have HTTPS, but with issues.
a) Most use RC4, which according to CERT Advisory 565052 shouldn’t be used.
b) It’s slow, requiring multiple connections to start a session. (between 6 and 20 times slower than EncryptME)
c) It can’t encrypt SMS messages.
d) In many cases root certificate problems prevent J2ME apps from using it.
I have posted more detail with references on blog.masabi.com if you are interested.

3: Bouncy Castle is a wonderful thing, but too big to bolt onto an application that wasn’t built around it, and wants to do significantly more than just encrypt. (about 1/3 of all the space in an application would be taken up by BC) Most of a mobile application developer’s hair is lost trying to make apps small enough.

4: Decent Random Numbers: a very good point Brian, and one that many mainstream “secure” mobile java applications fall down on, risking side-port attacks. If you download any of our applications you will find that just like the top PC security applications we always get the user to press a load of keys (or play a game) until we’ve captured enough real entropy to seed our approved Pseudo-Random Number Generator. Again, there will be a future blog.masabi.com post on this.

Thanks for asking such good questions Brian, it’s needed in the security world to make sure people know what they are getting, and discuss the important topics!

If you want to discuss it further you can get me on +44 207 981 9781 or ben (at) masabi.com.

Ben.

good points, and they deserve answers:

1: serious browsers, operating systems and servers go through certification at some point, maybe not in their earliest release, but the certification process is deemed to be important enough for many to engage and take part. Governments mandate it for their most important systems.
Without standards bodies and 3rd party validation how should users know half decent security from Snake Oil?

2: Yes, the latest phones do have HTTPS, but with issues.
a) Most use RC4, which according to CERT Advisory 565052 shouldn’t be used.
b) It’s slow, requiring multiple connections to start a session. (between 6 and 20 times slower than EncryptME)
c) It can’t encrypt SMS messages.
d) In many cases root certificate problems prevent J2ME apps from using it.
I will be putting up a more complete blog post on the subject shortly on blog.masabi.com.

3: Bouncy Castle is a wonderful thing, but too big to bolt onto an application that wasn’t built around it, and wants to do significantly more than just encrypt. (about 1/3 of all the space in an application would be taken up by BC) Most of a mobile application developer’s hair is lost trying to make apps small enough.

4: Decent Random Numbers: a very good point Brian, and one that many mainstream “secure” mobile java applications fall down on, risking side-port attacks. If you download any of our applications you will find that just like the top PC security applications we always get the user to press a load of keys (or play a game) until we’ve captured enough real entropy to seed our approved Pseudo-Random Number Generator. Again, there will be a future blog.masabi.com post on this.

Thanks for asking such good questions Brian, it’s needed in the security world to make sure people know what they are getting, and discuss the important topics!

If you want to discuss it further you can get me on +44 207 981 9781 or ben (at) masabi.com.

Ben.

Almost every Java-enabled mobile phone has built-in support for HTTPS for Java ME apps already, even ones that are years old. That means that this library is only really useful for applications that cannot use HTTPS but still require encryption.

Furthermore, this might be the first certified Java ME library, but similar libraries have been around forever. Bouncy Castle’s ME edition comes to mind. It is not certified but it is well-tested over several years by many, many people.

Finally, it is not clear to me how this library can possibly provide a decent random number generator. Where is it getting entropy to seed the generator? I suppose it is possible but I am skeptical.