I am currently making an app that will need to save sensitive data in J2ME, either in RMS or using LWUIT's storage class. (For example username and password)
How secure is such an implementation, and what are the steps to take in order to make sure the data is secure and not vulnerable to theft?
RMS is not encrypted - an attacker can easily read off any data. You'll need to encrypt the data - I recommend the Bouncycastle AES provider, but the Java AES provider also works (although it isn't as efficient, and you'll need to enable 256-bit keys on it). See the accepted answer to this question for some example code, I don't recommend changing anything in the code without asking StackOverflow or another good Q&A site first (it's very easy to incorrectly use encryption libraries); the code uses the Java crypto provider, to use the Bouncycastle provider use Cipher.getInstance("AES/CBC/PKCS7Padding", new BouncyCastleProvider()) after you import the Bouncycastle library. Important to note is that the code generates a Keyspec spec from a char[] password - the user will need to enter this password at least once per session in order for you to decrypt the data (you can't store the password on the device, that would defeat the purpose of encrypting the data). Also important is that you'll need to use the same IV (initialization vector) in the encryption and decryption phases; this IV should be unique to each record that you're encrypting (e.g. when you encrypt foo.txt then use a different IV than when you encrypt bar.txt), but it does not need to be secret (you can store it in plaintext alongside the encrypted file). As an added precaution, wipe the char[] password when you're done with it.
