Sun makes every effort to ensure secure operation of MEP, which was designed with security in mind. MEP supports MD5 for encrypted authentication, and all traffic flowing through the public Internet is encrypted with SSL (HTTPS), ensuring that user data is at no time exposed to prying eyes. For security reasons, MEP does not duplicate the user's data to a local database, but only metadata required during the synchronization process.
MEP supports both client-side and server-side security:
MEP client security includes the following features:
A simple PIN-based form of authentication
A means to secure data at rest on the mobile device (data encryption)
A means to securely synchronize with the Gateway Engine on the server (transport-layer security)
A mechanism to destroy business data (data destruction)
A means to prevent the client device from synchronizing (lockout)
A means to remotely destroy all of the data on the device (poison pill)
A means to notify the application that a certain quiet period has elapsed (data fading)
An API that allows developers to replace the MEP default security manager implementation with their own
For details, see Chapter 3, Client Security Architecture, in Sun Java System Mobile Enterprise Platform 1.0 Developer’s Guide for Client Applications.
MEP server security features include the following:
TLS/HTTPS is used to provide authentication and encryption between the device and the Gateway Engine. The OMA DS protocol requires support for basic authentication and for verification of data integrity using a message digest created with MD5. The use of transport layer security (HTTPS) is assumed.
In a two-tier MEP installation, TLS/HTTPS is used for communication between the Web Service connector and the Web Service endpoint.
The Gateway Engine incorporates an Application Server realm for user authentication. The default configuration uses a JDBC realm.