Symbian OS Platform Security – good or evil?

In the past couple of months I’ve been doing internal trainings, and on pretty much every one of them I was getting questions regarding Symbian platform security. And to be honest, platform security is something that made me loose my sleep a few times over the past couple of years.

But I don’t want this to be yet another post about how bad the PlatSec is, and the reason for that is that I believe it actually is a good thing. Here are some facts.

The idea behind PlatSec as described in marketing materials is pretty good: “a fine-grained way to efficiently restrict or completely prevent unauthorised access to sensitive APIs and data on the mobile phone while keeping the device open to developers”. The reality however proves to be quite different.

Platform security is often misunderstood as an ultimate protection from viruses and all kinds if malicious software. But here’s the first report about an application signed by Symbian that is a spyware.

Antony Pranata has an excellent piece on antivirus software for SymbianOS 9.x “Do We Need Anti Virus for Symbian OS 9 Devices?“.

Gábor Török in his blog post “Symbian Signed is not an anti-virus software” explains that “signing has not much to do with protection against malicious programs“. Certification is not about security, it is about being able to trace the problem back to the developer.

But what is such security good for if you can get a signed spyware application?
As Gábor writes “For example, the author’s certificate can be revoked and added to a list, called Certificate Revocation List or CRL for short”. The problem is however that CRL is not supported as of yet in S60 3rd Edition.

Gábor Török and Simon Judge write about developers shipping unsigned applications, so that advanced users can do the signing themselves using their own developer certificates becoming a common practice.

Why this can possibly be happening?

In “Do you think that PlatSec signing process is a nightmare?” Gábor writes more about it. And I have to answer YES to his question.

Here are some examples of issues with and around Symbian OS Platform Security implementation:

Symbian is not an Idiot” and “Symbian Signed, Please Enable Me” by Antony Pranata where he rants about the delays in getting developer certificate for his new Nokia phone.

Is Symbian Trying to Kill Off Small Developers?” by “Symbian In Motion”

“Death Of The Bedroom Coder” part 1 and part 2 by Chris Woods where he describes process and provides expenses calculation for an individual to release a Symbian application.

To summarize:

Platform Security hinders development process on S60 platform, especially for small independent software companies/individual programmers. It prohibits students or any other developers who can’t affort the signing process to write shareware software for S60. In addition to all other problems developers experience with the platform it just turns them away from Symbian.

Yes, Symbian provides free certification for freeware applications, but sometimes that’s simply not fast enough. If you want to interact with your users and make them happy, you would need to deliver fixes and new features for your software without additional delays.

We have a system that discourages independent developers, slows down freeware distribution, and does not prevent malicious software from spying on you or destroying your phone. What is the point? That suites well only operators that work closely together with Symbian powered device manufacturers and can put “trusted” label on their software, but it does not benefit developers at all.

Coupled with the fact that mobile application sales are dropping one can see a gloom future for the independent application development on Symbian.

As I said in the beginning – I think that Platform Security is a good thing. I really do – in the world where Nokia wants to be able to easily extend functionality of its phones by itself or provide such possibility to selected partners.

Having spent last 8 years of my life working with Symbian OS, it pains me to say that if I were a beginning developer now looking at what OS to start developing for – I wouldn’t bother about Symbian and go for mobile Linux.


Comments

6 responses to “Symbian OS Platform Security – good or evil?”

  1. Ivan,

    I’ve stumbled upon the following post: http://mikie.iki.fi/wordpress/?p=15 in which Mika and Artem agree (see comments) in that neither Symbian nor Nokia has a valid and serious business reason to support 3rd party developers more. Simply put, users look at the phone, see what it supports and most of them really don’t know anything about/not interested in 3rd party software at all. And I can see Symbian Signed’s recent agony just as a sign into that direction. It’s just a cruel world that we live in. :-\

    Tote

    Ps.: thanks for reading my blog. 🙂

  2. There’s a an interesting discussion about hte future of Symbian Signed: http://developer.symbian.com/forum/thread.jspa?threadID=21377&tstart=0, but it seems that it is just another atempt of fixing system that is fundamentally wrong.

  3. Nokia the world laregest cellphone manufacturer with a 47.9 percent stake in Symbian, the leading mobile platform that it co-founded in 1998 and which today powers some 206 million mobile phones. Nokia now planing to shift the technology goals from symbian to linux.

    The mobile-phone maker is increasingly selecting Linux for Internet-enabled mobile devices, with its CFO declaring of Linux, \

  4. Most people will beginning to notice their computer starts to slow down and they may also get more ads popup when they are surfing. Spyware is famous for building computers run a little “sluggish” – this is one of the first signs that your computer is infected.Then use http://www.search-and-destroy.com

  5. […] whole thing related to Symbian Series 60 (S60) mobile phones here, especially Nokia N-Gage QD, …Ivan Kuznetsov Symbian OS Platform Security good or evil?Symbian OS Platform Security good or evil? In the past couple of months I've been doing internal […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.