There are some restrictions for accessing certain method calls and APIs from MIDlets. In those cases it is possible that the user will either be prompted for confirmation to allow a certain method call or the access is blocked altogether, resulting a SecurityException to be thrown.
Making these prompts appear less frequently requires the developer to sign the MIDlet and the user to manually change the API access settings. Signing to the operator or manufacturer domain will remove the prompts completely, but this requires close collaboration with those parties.
Mobile information device profile (MIDP) 2.0 specification defines four security domains to which the MIDlet can be installed:
Each of the protection domains have certain level of access to the protected (sensitive APIs). The access rights are grouped to a function groups:
The MIDlet will have access settings defined to each of the function groups above that are supported by the phone. The setting can be one of the following, defined by the security domain policy of the phone:
Java specifications include a number of versions for the available API access rights (Note that it is possible that there might not be a device available which would support the API access rights exactly the way they are defined in the specification!)
NOTE: The MIDP specification defines that even a trusted 3rd party MIDlet cannot have networking and auto-start permissions simultaneously as Always Allowed!
A MIDlet which has not been signed will be placed in the untrusted domain, which has most restrictions for accessing certain APIs. If the MIDlet has been signed and the corresponding certificate is stored in the certificate store of the phone, the MIDlet will be placed in the protection domain to which the certificate has been tied to (there are some complex checks which are done at the installation time, please see the MIDP 2 specification for more info).
If your application passes Java Verified testing, it will be signed with UTI root certificate, which will place your MIDlet to the trusted 3rd party domain. Other common certificates that place your MIDlet to the trusted 3rd party domain are available from:
Note that there are differences between different phone models on which certificates are installed on the phones. Additionally, the same phone model may have a different set of certificates depending on which region it was sold in. Operator variants of the phones can also have additional changes in the certificate availability.
Also note that the MIDP specification does not allow new certificates to be added on the phones to allow signing to the trusted 3rd party domain. This is, however, possible on S60 2nd Edition devices due to incorrect implementation (instructions). Some operators have also implemented so-called developer certificates for their devices (Sprint and China Unicom). Consequently, make sure to check the available code-signing CA-certificates (or check this posting).
As the MIDP spec security domain policy is just a recommendation, some operators have defined their own security domains and API access rights. These include:
Generic phones also have different versions of the API access rights implemented:
It is not possible to change the default settings available on the phone, but after MIDlet installation it is possible to change the API access settings from the default to the the available ones (not all options are available to untrusted MIDlets).