OMA security

[Aleksander Morgado]

On 06/09/13 11:56, Enrico Mioso wrote:
> My question might be a little "stupid" - still: does OMA offer an
> adequate security?
> Ok - the solution is proprietary and so it's difficult to understand.
> In other words - is the user free to to not accept a network initiated
> DM session? If for example the user doesn't want to have a certain
> feature disabled  /  software upgraded?
> thank you all for the reply!

There are three ways to handle an OMA-DM session:

 * User requests to start it (via StartClientInitiatedSession() in the
interface).

 * Modem receives an indication that a new network request for an OMA
session arrived, and ModemManager will expose this request in the
interface (via the PendingNetworkInitiatedSessions property). Then the
user can accept or reject the request (via
AcceptNetworkInitiatedSession() in the interface).

In both these cases, the user needs to get involved. Of course the
'user' here is the application implementing access to the OMA interface,
and that application may choose not to tell anything to the real human
behind the device. These user-initiated and network-initiated sessions
are needed for successful CDMA activation in some network operators,
like Sprint, if I'm not mistaken.

 * The third case is a bit unclear: 'device-initiated' sessions,
whatever they are, seem to be managed without any user intervention; as
I couldn't find any API to manage them. But there is nothing in
ModemManager that we can do to prevent their use; the new OMA support
doesn't introduce these, they are already there. If they are used, and
for what they are used, only Qualcomm can tell, I guess.

-- 
Aleksander