Improving the Security of Downloadable Java Applications With Static Analysis

Today, most middle-end mobile phones embed a Java runtime environment that can execute programs downloaded on the network by the user. This new functionality creates great opportunities for new services but also brings the full range of risks that existed on the personal computer to the phone.Telecommunication operators are the last warrant of the quality of the software downloaded by their customers and might sign the applications they trust. Unfortunately they have little evidence to check the quality of the contents of the jammed bytecode they receive from developers. The traditional evaluation process relies mostly on the manual testing of the software on actual terminals. But this is not adapted for security properties.MATOS (Midlet Analysis TOol Suite) is a static analysis tool that checks the possible values passed to some identified methods directly on the compiled application. It is used by the test teams of the mobile operator Orange to check what kind of connections are opened by MIDP applications. We will present the security requirements we want to check, how MATOS helps to ensure them and how the necessary analysis are performed using a combination of (rather) well-known analysis techniques