×

Discussion Board

Results 1 to 9 of 9

Thread: signed/unsigned

  1. #1
    Regular Contributor
    Join Date
    Jul 2003
    Posts
    69

    signed/unsigned

    Hello,
    i read about sign app
    https://www.symbiansigned.com/how_do...ion_signed.pdf

    but i still need help i have 1 question
    if my app self signed
    how will that affect phone?
    what if the user from app manager (software installation all)
    will my app install on phone device and work functionality?


    regards
    Wael

  2. #2
    Registered User
    Join Date
    Dec 2006
    Posts
    2,280

    Re: signed/unsigned

    Hi Wael,

    If your application is self-signed then it can still install as long as the UID is from the unprotected range. The user will get a warning on installation that the application is from an untrusted source (or something like that). If it works or not after that will depend on what capabilities your application uses. If it doesn't need any then it will work fine. If it needs some user grantable capabilities then the user will have to allow the application to use them for it to work. If you need some capabilities that the user cannot grant then I'm afraid you'll need to go through symbian signed.

    I hope that answers your question?

    Sorcery

  3. #3
    Regular Contributor
    Join Date
    Jul 2003
    Posts
    69

    Re: signed/unsigned

    hi Sorcery-ltd ,
    thanks, for your answer
    it would use location /network info

    but this is a big pain
    does symbian want developers go another OS like windows mobile?



    by example CommDD why CommDD is Capability
    i am just a developer and not a big company what if i want to sell my symbian OS?

    there is many forms of secuirty !!! but for most it must be controlled by user he can open his mobile or stop it and it should not mandatory by OS
    but sign the app is not a proof of high quality of the app!!

    Regards
    Wael

  4. #4
    Registered User
    Join Date
    Dec 2006
    Posts
    2,280

    Re: signed/unsigned

    Hi Wael,

    The good news is that location and network services (is that what you mean? - there isn't a network info as far as I'm aware) are likely to be user grantable. Most likely you application can be self signed. The user will just have to grant the capabilities.

    One of the reasons we have platform security is that some of the APIs on the phone are very powerful and if used maliciously or just carelessly they could break the phone functionality, or cost the user a lot of money. APIs requiring CommDD are and example of this. So, it was decided some sort of security was needed to protect the end users and the networks. It isn't very popular with developers. Hopefully the developers will benefit because end users will trust their applications when they are signed - but that is still to be seen.

    I am just a developer too, and I don't work for a big company (although I used to work for phone manufacturers so I have seen from the inside too). You should be able to develop most applications with just the user grantable capabilities. If you really need to use the restricted capabilities then your application ought to be doing something useful/clever with it which is worth some money. In that case it should be worth the investment in getting it signed - it is not THAT expensive.

    Signing is not really supposed to be proof of the application quality, it really just says it has been tested by an independent test house who don't think it will do anything bad!

    I actually agree with you - the user should have ultimate control. There should be a setting that allows the user to grant any capability (probably not the default). I can install unsigned device drivers into windows and I just get warned about the possible consequences. The end user should just be warned about the potential results of granting an untrusted application certain capabilities and given the choice. If they don't understand they should say NO. If they don't then it's their fault when things go wrong!

    Good luck with your development! By the time you are finished perhaps there will be some changes that make it easier for independent developers to get their applications signed.

    Sorcery

  5. #5
    Regular Contributor
    Join Date
    Jul 2003
    Posts
    69

    Re: signed/unsigned

    '
    hello,

    i just need to are code (cell info)
    iCellId, iCountryCode, iLocationAreaCode, members of class TNetworkInfoV2


    about other issue
    if i am not wrong
    i think that i can write to file c:\test.dat with normal self signed app


    also what about bluetooth apps?


    thank you Sorcery i just feel that sign is a big pain


    regards

    >>>
    cation and network services (is that what you mean? - there isn't a network info as far as I'm aware)


    Quote Originally Posted by Sorcery-ltd
    Hi Wael,

    The good news is that location and network services (is that what you mean? - there isn't a network info as far as I'm aware) are likely to be user grantable. Most likely you application can be self signed. The user will just have to grant the capabilities.

    One of the reasons we have platform security is that some of the APIs on the phone are very powerful and if used maliciously or just carelessly they could break the phone functionality, or cost the user a lot of money. APIs requiring CommDD are and example of this. So, it was decided some sort of security was needed to protect the end users and the networks. It isn't very popular with developers. Hopefully the developers will benefit because end users will trust their applications when they are signed - but that is still to be seen.

    I am just a developer too, and I don't work for a big company (although I used to work for phone manufacturers so I have seen from the inside too). You should be able to develop most applications with just the user grantable capabilities. If you really need to use the restricted capabilities then your application ought to be doing something useful/clever with it which is worth some money. In that case it should be worth the investment in getting it signed - it is not THAT expensive.

    Signing is not really supposed to be proof of the application quality, it really just says it has been tested by an independent test house who don't think it will do anything bad!

    I actually agree with you - the user should have ultimate control. There should be a setting that allows the user to grant any capability (probably not the default). I can install unsigned device drivers into windows and I just get warned about the possible consequences. The end user should just be warned about the potential results of granting an untrusted application certain capabilities and given the choice. If they don't understand they should say NO. If they don't then it's their fault when things go wrong!

    Good luck with your development! By the time you are finished perhaps there will be some changes that make it easier for independent developers to get their applications signed.

    Sorcery

  6. #6
    Registered User
    Join Date
    Dec 2006
    Posts
    2,280

    Re: signed/unsigned

    Oh - it looks like you might have a problem there.

    According to the SDK documentation you need both:
    ReadDeviceData
    Location

    to request the location info from CTelephony via GetCurrentNetworkInfo(). Perhaps there is another solution?

    I don't think ReadDeviceData is user grantable - someone please correct if I am wrong?

    I think you would need WriteUserData to write c:\test.dat but that should be user grantable, so you could self-sign.

    Generally I think you need LocalServices capability to use Bluetooth which should also be user grantable.

    I hope that has answered your questions?

    Sorcery

  7. #7
    Regular Contributor
    Join Date
    Jul 2003
    Posts
    69

    Re: signed/unsigned

    thanks Sorcery,
    i read 3d docs and i was able find how to know that API requier CAPABILITY or not and if need it shows what kind of CAPABILITY it requier
    in general sign or CAPABILITY is pain for developers

    and i have another question how the phone can recognize the certificate?

    does when i install an app it connects over GPRS(access point) and verify the certificate?



    Regards
    Wael

  8. #8
    Registered User
    Join Date
    Dec 2006
    Posts
    2,280

    Re: signed/unsigned

    That question is best answered by a real platform security expert... but they might not want to tell you?

    It doesn't have to connect over GPRS to verify the certificate. There are certain root certificates installed in the device and the certificates that you get from Symbian signed will "chain" to those. I haven't really looked at how it works underneath in great detail, I just use it!

    It is possible for a certificate to be revoked but I assume that in that situation a message would have to be pushed to devices from the networks.

    Sorcery

  9. #9
    Super Contributor
    Join Date
    May 2003
    Location
    Vancouver, Canada
    Posts
    985

    Re: signed/unsigned

    As explained by Sorcery-ltd, there are some root certificates that are installed on the phone during manufacturing. You can check it from Tools | Settings | Security | Certif. management. There you can see root certificates on your device.

    When you install an application, it will check the certificate against these certificates. If the installer cannot verify the application's certificate, it will simply display unknown certificate -> thus the application is not trusted.

    One additional note, it is also possible to install additional certificate on the phone using .sis file -> it is not common, but possible.

    Antony

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
×