Java Security for Mobiles

The advent and popularity of Java has created a new paradigm: downloaded content can now also be executable. Java developers have tried to address security by implementing a few mechanisms, which are supposed to remove the risks of executing untrusted code:

• Memory access.
• The Java Sandbox.
• The Byte-code Verifier.
• The Applet Class Loader.
• The Security Manager.

Memory Access
Java developers have often promoted Java as a secure language. At the lowest level, security goes hand in hand with robustness. Java programs cannot:

• Forge pointers to memory
• Overflow arrays
• Read memory outside the bounds of an array or string

These features are supposed to be the main defenses against malicious code. It has been argued that by disallowing direct access to memory, a huge, messy class of security attacks is ruled out.

Byte-code Verification
The second line of defense against malicious code is the byte-code verification procedure that the Java interpreter performs on any untrusted code it loads. The verification procedure should ensure that the code is well formed. For example, it should not overflow or underflow the stack or contains illegal byte-codes. If the byte-code verification step was skipped, inadvertently corrupted or maliciously crafted byte-codes might be able to take advantage of implementation weaknesses in a Java interpreter.

Java Sandbox
Another layer of security protection is commonly referred to as the sandbox model: untrusted code is placed in a sandbox, where it can play safely and without doing any damage to the real world, or the full Java environment. When an applet or other untrusted code is running in the sandbox, there are a number of restrictions on what it can do. The most obvious of these restrictions is that it has no access to the local file system.

Security Manager
The Security Manager class enforces a number of other restrictions. All the core Java classes that perform sensitive operations, such as file system access, first have to ask permission of the currently installed security Manager. If the call is being made by untrusted code, the security manager throws an exception, and the operation is not permitted.

The Dangers of Mobile Code

Because of the universal use of e-mail and world wide web, it is impossible for any security administrator to guarantee that no malicious external files, programs or data will reach the internal network. Primary culprits for web-based intrusions are applications using the Java and ActiveX programming languages. These languages allow Web sites to incorporate programs that users can run on their computers, in other words: remotely compiled programs are executed locally. It is not surprising that one should be rather nervous about executing untrusted code on one’s private network or machine.

Java
Java is a high-level, object-oriented, general-purpose programming language that took the Internet by storm, because it was one of the first technologies that could animate Web pages and make them interactive. Designed by Sun Microsystems in 1990, it is similar to C++, but it eliminates many language features that can cause common programming errors. Java source code files (files with a .java extension) are compiled into a format called byte code (files with a .class extension), which can then be executed by a Java interpreter. Java can be used to develop complete applications, called Java applets, which can perform a variety of tasks from the same Web page:

• Animations. 
• Games. 
• Charts. 
• Interactive programs. 

Let us see how this works in a Web browser on a desktop computer. References to Java software are embedded on a web page, which can be stored on a local disk or on the network. When the browser sees these references, it performs the following procedure:

• The Java software, i.e. the applet, is loaded. 
• The applet is then processed by the Java Virtual Machine (JVM), which is built into the browser. 
• This JVM does stringent security checks. 
• The JVM runs the applet, which appears and interoperates inside the browser. 
• The computer's operating system provides machine-specific support for many of the actual operations and interactions.

Threats to the home computers

A threat, for information security, is any activity that represents possible danger to user’s information. Intruders want the information stored by the users which are personal and sensitive, such as credit card numbers, PINs, passwords etc. By stealing this information the malicious intruders commonly referred to hackers may gain financially. The intruders also use the resources of the compromised systems for their own purposes and for attacking other computer systems connected to the Internet. Recent trends in computer security threats show that the attackers are compromising the home computers and installing malicious code such as Bots in these systems, which may then be used as Zombies to further launch large scale attacks on critical information systems. This type of attack is known as Distributed Denial of Service (DDOS).


Vulnerabilities in home computer
A vulnerability is a weakness in user’s information security that could be exploited by a threat; that is a weakness in user’s system and network security, processes, and procedures.

Computer vulnerability is flaw in the computer system. Which when exploited allows intruder to compromise the system’s integrity. The common types of vulnerabilities are logical errors in operating system or applications due to poor coding techniques, allowing intruder to exploit them and giving him heightened access to the user’s computer.

Various security tools are available to secure the system like firewalls etc. These tools provide excellent security mechanism but having flaw in design that could lead to security breach. The term “security through obscurity” fits into this arena, being the system is secure because nobody can see hidden elements. All types of file encryption come under this category. By means of encrypting the data an additional layer of protection is being added to the computer system.

In case a system is compromised, the critical data is still protected by encryption. And the intruder may not be able to steal the information from the hacked system.