In the past couple of months I’ve been doing internal trainings, and on pretty much every one of them I was getting questions regarding Symbian platform security. And to be honest, platform security is something that made me loose my sleep a few times over the past couple of years.
But I don’t want this to be yet another post about how bad the PlatSec is, and the reason for that is that I believe it actually is a good thing. Here are some facts.
The idea behind PlatSec as described in marketing materials is pretty good: “a fine-grained way to efficiently restrict or completely prevent unauthorised access to sensitive APIs and data on the mobile phone while keeping the device open to developers”. The reality however proves to be quite different.
Platform security is often misunderstood as an ultimate protection from viruses and all kinds if malicious software. But here’s the first report about an application signed by Symbian that is a spyware.
Antony Pranata has an excellent piece on antivirus software for SymbianOS 9.x “Do We Need Anti Virus for Symbian OS 9 Devices?“.
Gábor Török in his blog post “Symbian Signed is not an anti-virus software” explains that “signing has not much to do with protection against malicious programs“. Certification is not about security, it is about being able to trace the problem back to the developer.
But what is such security good for if you can get a signed spyware application?
As Gábor writes “For example, the author’s certificate can be revoked and added to a list, called Certificate Revocation List or CRL for short”. The problem is however that CRL is not supported as of yet in S60 3rd Edition.
Gábor Török and Simon Judge write about developers shipping unsigned applications, so that advanced users can do the signing themselves using their own developer certificates becoming a common practice.
Why this can possibly be happening?
In “Do you think that PlatSec signing process is a nightmare?” Gábor writes more about it. And I have to answer YES to his question.
Here are some examples of issues with and around Symbian OS Platform Security implementation:
“Is Symbian Trying to Kill Off Small Developers?” by “Symbian In Motion”
Platform Security hinders development process on S60 platform, especially for small independent software companies/individual programmers. It prohibits students or any other developers who can’t affort the signing process to write shareware software for S60. In addition to all other problems developers experience with the platform it just turns them away from Symbian.
Yes, Symbian provides free certification for freeware applications, but sometimes that’s simply not fast enough. If you want to interact with your users and make them happy, you would need to deliver fixes and new features for your software without additional delays.
We have a system that discourages independent developers, slows down freeware distribution, and does not prevent malicious software from spying on you or destroying your phone. What is the point? That suites well only operators that work closely together with Symbian powered device manufacturers and can put “trusted” label on their software, but it does not benefit developers at all.
Coupled with the fact that mobile application sales are dropping one can see a gloom future for the independent application development on Symbian.
As I said in the beginning – I think that Platform Security is a good thing. I really do – in the world where Nokia wants to be able to easily extend functionality of its phones by itself or provide such possibility to selected partners.
Having spent last 8 years of my life working with Symbian OS, it pains me to say that if I were a beginning developer now looking at what OS to start developing for – I wouldn’t bother about Symbian and go for mobile Linux.