Discussion Board

Results 1 to 3 of 3
  1. #1
    Registered User
    Join Date
    Oct 2011

    Post Appeal to Nokia to reinstate Express-Signing for our account


    The company I work for often releases applications on multiple mobile platforms, including S60 / Symbian. Some of these applications are our own products. Other applications are promotional apps for our clients, which are among the biggest brands in the world, such as IBM, Nike, Ford, etc., and even Nokia itself. These promotional applications are often released at the same time as new marketing initiatives, new advertising campaigns, or new products launched by our clients. All the Symbian application we release, whether for ourselves or for our clients, are Express-Signed.

    In the past, some of these applications have been audited, and they have always passed the audits. However, for one of our recent applications (application # 5011851), the auditing test house raised some objections, for which we offered clarifications and explanations. The auditor informed us that they were forwarding our case to Nokia for a final decision.

    Yesterday when we tried to release the latest version of one of our apps, we found that Express Signing was disabled for our account. Upon reading the audit report, it looks like the auditor has marked our application as having failed audit, and Nokia either agrees with them, or hasn't yet looked into the case. Because of our account being suspended, we are not able to release our apps at this time. This can potentially cause us great hardship and loss of business, because our clients often come to us with an idea for an application which needs to released in a short time, to coincide with a new advertising campaign / new product. For such apps, going through the Certified Signed process would mean that our clients advertising campaigns / new launches would be delayed, something which would be unacceptable for them.

    Moreover, we feel that the decision to fail our application in the audit was itself somewhat harsh, as explained below:

    Our application was failed for not informing the user before making a data connection (GPRS), or before sending an SMS. In hindsight, we agree with the reasons for these requirements: if the user incurred any expenses without their knowledge, they would probably not have a pleasant experience of using the application. If many applications did the same thing, it would harm the entire Nokia Store ecosystem, as the users would we wary of trying new mobile apps. Therefore, we completely agree that before an application takes any action that incurs a charge for the user, they should ask the user permission for the same. Towards this end, we are committed to implementing this feature in all our future applications.

    However, this requirement (of seeking the user's permission) is not mentioned anywhere in Symbian Signed Test Criteria (http://www.developer.nokia.com/Commu...4_Wiki_version). Before Express-Signing our application, we used to test it against all the tests mention in the V4 Symbian Signed criteria, and since our application passed all the tests, we used to confidently sign and release them. Only after reading the auditors' report did we find that this requirement (asking the user's permission before actions tham may incur charges) is one of the ways of interpreting "Check 4", which is meant to check "Malware".

    Here is the complete text of Check 4:
    "CHECK 4 - Malware check
    The submission may not include any viruses, worms, malware, Trojan horses, time bombs or any other malicious code.

    Nokia or appointed Nokia contractor will scan every submission coming through Symbian Signed service. Nokia may share the application and information submitted with the application, including but not limited to the developer information to assure the submission did not include any malware. If malware is found Nokia will suspend the user's account."
    Please note that nowhere does Check 4 educate the reader about the requirement to seek the user's permission before incurring a charge. This requirement only becomes clear in hindsight, after it is described by a test house / auditor.

    Since this requirement is not EXPLICITLY mentioned in any of the tests or checks listed in the Symbian Signed V4 criteria, we feel it is harsh to fail an application because of this. In our opinion, this should have resulted in a warning / advise to change functionality in the future.

    For the above two reasons, i.e. ...
    (1) Disabling Express-Signing for our account would cause a lot of harm to our business, and,
    (2) The requirement to seek the user's permission (before any charge-accruing action) is not explicitly mentioned in the Symbian Signed criteria,

    ... we request that you re-enable Express Signing for our account. We do commit to making the required changes in all our future app releases.

    Moreover, we are willing to go through the Certified Signed process too, but request that you (provisionally) re-enable Express Signing as well for us, even while the Certified Signing process is going on, so that we can continue to release applications for our clients.

    Please do respond soon, and let us know your decision.

    Best regards,

  2. #2
    Nokia Developer Expert
    Join Date
    Dec 2003

    Re: Appeal to Nokia to reinstate Express-Signing for our account

    Your application behaviour: making a connection before the application even starts in 99% of the cases suggest the application to be malicious. Additionally sending the message would suggest the user would not be in control of what the application is doing. Those were the main reasons for failing it under CHECK 4, even the text does not explicitly mention it.

    I reinstated the Express Signed rights for your account. However if our antivirus friends find your application malicious, we will need to have this conversation again, but then we will contact you.

    To get a quicker turn around I recommend you using symbian dot signed ät nokia dot com address.
    Last edited by rippe; 2011-10-14 at 10:03.

  3. #3
    Registered User
    Join Date
    Oct 2011

    Re: Appeal to Nokia to reinstate Express-Signing for our account

    Hello rippe,

    Thanks for reinstating Express Signing for our account.

    Our application used to make a connection as soon as it started because it was checking the server for new content to serve to the user. Since the content is dynamic and may change from one day to the next (or from one week to the next), we cannot bundle it with the application; it has to be downloaded at run time.

    Anyway, we are already implementing changes in the application to ask the user's permission before making the data connection and sending the text message.

    Thank you once again, and thanks also for the tip about quicker turn around.

    Best regards,
    Last edited by Rohit17; 2011-10-14 at 16:23. Reason: Grammar

Similar Threads

  1. express signed is disabled in my account
    By dwelling in forum Symbian Signed Support, Application Packaging and Distribution and Security
    Replies: 7
    Last Post: 2011-06-05, 13:26
  2. Certified signing or express signing for complicated application?
    By manubemanu in forum Symbian Signed Support, Application Packaging and Distribution and Security
    Replies: 10
    Last Post: 2011-05-13, 12:48
  3. [Moved] Express Signing and Certified Signing
    By prashant.sharma in forum Symbian Signed Support, Application Packaging and Distribution and Security
    Replies: 7
    Last Post: 2010-02-20, 12:54
  4. Express Signing and Certified Signing
    By prashant.sharma in forum General Development Questions
    Replies: 3
    Last Post: 2010-02-19, 08:03
  5. epocaif.pl failed(I used admini account to build in Carbide c++ express 1.1)
    By bgydragon in forum Carbide.c++ IDE and plug-ins (Closed)
    Replies: 1
    Last Post: 2007-03-10, 16:56

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts