×

Discussion Board

Results 1 to 7 of 7
  1. #1
    Regular Contributor
    Join Date
    May 2003
    Posts
    96

    Security platform: controversial information

    Hi guys,
    I am struggling with Security Platform.
    I found information that to me look controversial. Which one is the truth, according to your understanding? A or B?

    A] Document: "Testing And Signing With Symbian Platform Security - Version 1.3, March 20, 2006, FN"

    Statement in ch 2.3:
    "S60 3rd Edition introduces mandatory signing of applications. This means that the application will not install if it has not been signed."

    B] Book: "Symbian OS Platform security", ch 9.1.1, page 187:
    "With this security policy, the capabilities that user can grant are LocalServices and UserEnvironment. Any application requiring other capabilities will, therefore, need to be signed".

    Let's take an example of developing a Bluetooth application for "personal use".
    If document is right then I have to sign it, maybe better (=cheaper) with Symbian Developer Certificate. In case of my personal use, it will be totally free (since not VeriSign certificate is needed).

    If the book is right that means that I can avoid signing it. And I could even deploy that application to my friends and it will work as far as every user will grant LocalServices capabilities at installing time.

    Which one is the truth?
    I hope someone could clarify.

    Thanks,
    mik

  2. #2
    Nokia Developer Moderator
    Join Date
    Feb 2006
    Location
    Budapest, Hungary
    Posts
    28,572

    Re: Security platform: controversial information

    The truth is a combination of A & B: every sisx file has to be signed, but you can apply "self signing". Search for "makekeys" in the SDK Help.

  3. #3
    Regular Contributor
    Join Date
    May 2003
    Posts
    96

    Re: Security platform: controversial information

    Thank you for your hint.
    However I am still confused: hopefully this discussion will be useful to someone else as well.

    1. So, I can use MakeKeys tool to generate a private key file and a self-signed certificate.
    At this point – if I understood correctly – I can already install the application in my mobile.
    I assume that so far I can use the basic User-grantable capabilities.

    2. Therefore the difference from getting a Symbian Developer Certificate consists in the amount of capabilities I am allowed to use, right?
    (If I get Symbian Developer Certificate I could use more and that depends by the numbers o IMEIs I apply for).

    3. Then, after using MakeKeys, “it is up to developer” to send the certificate request to be signed by trusted third party.
    This step I guess become useful just from the moment I decide to deploy my application to someone else.
    But again, since at step one I didn’t specify my IMEI, shouldn’t be my self-signed application already installable by other users if only uses User-grantable capabilities?

    Am I missing something?

    Thanks for your help,
    Mik

  4. #4
    Nokia Developer Moderator
    Join Date
    Feb 2006
    Location
    Budapest, Hungary
    Posts
    28,572

    Re: Security platform: controversial information

    Quote Originally Posted by mikfi
    Am I missing something?
    No, in fact you have already overcomplicated the method :-)
    1: Yes, with makekeys you generate everything that is necessary for self-signing an application
    2: Yes, self-signing is weaker than both normal and developer certificates
    3: No, if your application works with your certificate you are done: you can sign and spread your application.

    If your application does not work with self-signing, you have to send the application to somewhere (check on www.symbiansigned.com), and they will send you back a signed .sis file, ready for publishing. However it costs money, even when your application is just tested but rejected.
    And this is the point where DevCerts come into the picture: you get a certificate for "power-signing" but it will work only on a limited set (on 1 or 1-20 different IMEI-s by default) of devices.

  5. #5
    Registered User
    Join Date
    Oct 2006
    Location
    Cumbria, UK
    Posts
    4

    Re: Security platform: controversial information

    So here’s a summary of the actual deployment options. Is it correct?

    Scenario: Simple application, uses no platsec capabilities.
    What we do: MMP file has Capabilities: none. Sign the SIS file with a signature generated on the fly by signsis.
    Result: Application installs on any phone, can access network etc, but will always warn the user first.

    Scenario: Typical application, uses some simple platsec capabilities.
    What we do: Generate a private key file for our organisation/department and pay Verisign to validate it and send us a certificate. Put capabilities required in the MMP file. Sign application with signsis passing the private key and certificate. Send result to Test House; if it passes, they get Symbian to countersign the SIS file.
    Result: Countersigned application installs on any phone, does whatever it’s allowed to.

    Scenario: Demanding application, uses restricted platsec capabilities.
    What we do: As above... but...

    Errr: how do we persuade a test house to grant extended capabilities?

  6. #6
    Nokia Developer Moderator
    Join Date
    Feb 2006
    Location
    Budapest, Hungary
    Posts
    28,572

    Re: Security platform: controversial information

    Approximately. However you may want to search for "Assigning Capabilities" in the SDK Help. For example there are user grantable capabilities.

  7. #7
    Super Contributor
    Join Date
    Mar 2003
    Location
    Tampere, Finland
    Posts
    1,115

    Re: Security platform: controversial information

    To get better overwiev of the process for granting sensitive (manufacturer) capabilities you should read the short slideset available at http://www.forum.nokia.com/info/sw.n..._0_en.pdf.html

Similar Threads

  1. Replies: 4
    Last Post: 2009-07-29, 09:12
  2. Screensaver & Platform Security
    By storsjo in forum Symbian
    Replies: 8
    Last Post: 2007-10-26, 15:42
  3. Replies: 1
    Last Post: 2002-05-13, 21:09
  4. Replies: 1
    Last Post: 2002-05-13, 21:07

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •