In the SDK, when you use Run via OTA your packaged MIDlet suite is installed directly into the emulator where it is placed in a security domain. The emulator uses public key cryptography to determine the appropriate security domain.
If the MIDlet suite is not signed, it is placed in the default security domain.
If the MIDlet is signed, it is placed in the protection domain that is associated with the root certificate of the signing key’s certificate chain. See Signing a Project.