Please note that as of October 24, 2014, the Nokia Developer Wiki will no longer be accepting user contributions, including new entries, edits and comments, as we begin transitioning to our new home, in the Windows Phone Development Wiki. We plan to move over the majority of the existing entries over the next few weeks. Thanks for all your past and future contributions.

Widget Platform Security

From Wiki
Jump to: navigation, search
Article Metadata
Created: ck.umraliya (10 Jan 2009)
Last edited: hamishwillee (26 Jul 2012)



Following are some of the points of the security policy for widgets running on S60 mobile devices:

  • Unlike sis file, Widgets need not to be signed.
  • Widgets are considered untrusted by the device platform currently. Widget access to platform services is controlled and that mobile device users must grant permission.
  • Widgets access the network through the Web Browser for S60.
  • Widgets access S60 platform services through Javascript Service APIs. For WRT 1.0, the Web Runtime controls access to platform services through the Web Browser for S60. For WRT 1.1, the Web Runtime utilizes Runtime Security Manager to enable access control to platform services.

Runtime Security Manager

The Runtime Security Manager controls access to platform services for Web Runtime version 1.1 widgets. The security manager uses this policy to determine whether a widget has access to a platform service and then prompts the mobile device user accordingly. Access policy for all WRT 1.1 is determined by the device manufacturer, It cannot be customized by developer or user. WRT 1.1 provides a default access policy that mobile devices can use if they do not define their own.

The widget security life cycle for WRT 1.1 is as follows:

  • WRT 1.1 files an access policy with the security manager.
  • The widget is registered by the Security manager when it is installed.
  • WRT 1.1 starts a session with the security manager each time that it attempts to access a new platform service.
  • During a session, the security manager performs run time access control according to the access policy.
  • The widget is unregistered by the Security manager when it is uninstalled.

RSM Access Policy

The Run time Security Manager access policy defines:

  • A set of capabilities that are allowed automatically to the widget or are granted to via prompts.
  • The Access duration/Session. The durations supported for WRT 1.1 are one time or while the widget is launched.

The following capabilities are supported for WRT 1.1

  • ReadUserData: Read access to user confidential data(contacts, messages, appointments, and notes).
  • WriteUserData: Write access to user confidential data(contacts, messages, appointments, and notes).
  • Location: Access to location information of the mobile device.
  • NetworkServices: Access to remote services without regard to the mobile device location(voice calls and SMS).

The following table lists the capabilities defined for each Service API by the default WRT 1.1 access policy. All capabilities are granted for the session.

Table: Default capabilities for WRT 1.1 widgets

Javascript Service API Capability
Application Manager ReadUserData
Calender ReadUserData, WriteUserData
Location Location
Logging ReadUserData, WriteUserData
SystemInfo ReadUserData, Location
Contacts ReadUserData, WriteUserData
Landmarks ReadUserData, WriteUserData
Messaging ReadUserData, WriteUserData, NetworkServices
This page was last modified on 26 July 2012, at 05:07.
48 page views in the last 30 days.

Was this page helpful?

Your feedback about this content is important. Let us know what you think.


Thank you!

We appreciate your feedback.