Meet the Package Owners: Timo
Posted by Craig H on 5 November 2009
Completing the set of package owners in the security technology domain is Timo J. Heikkinen, owner of the Security Services package (and also the Application Installation package in the runtimes technology domain):
Q: How long have you been working with Symbian code? What did you do before that?
Since I joined Nokia, about ten years ago, and all that time around Symbian OS security-related issues. Before that I was implementing Windows UI code in another company.
Q: What packages do you work on, and what are they used for?
The Application Installation package contains components for application installation, management, and distribution. It has Application Installer dialogs, Application Manager Settings plug-in, Application Update client, Software Installer engine, and the Content Download engine used by the Update client.
The Application Installer has a plug-in mechanism for additional runtimes, which will be replaced by a new one in Symbian^4, called the Universal Software Installer Framework (USIF) which will act as a common interface between the UI and runtime-specific installers.
The Security Services package is a collection of middleware-layer components having some kind of connection to security; most of them also have some sort of UI. It includes key lock, device lock and remote lock, also different certificate-related user dialogs like the warning of untrusted certificates popping up from SSL/TLS connections. The untrusted certificate warning dialog might be the certificate dialog people are most aware of, and not necessarily in a positive way.
The Certificate Manager Settings plug-in, Certificate Saver and PKCS #12 library are also in this package, as are WIM and GBA components.
Q: Are there any projects you would encourage newcomers to get involved in?
Perhaps the most welcome would be improvements in SIS handling and the .pkg format. People who implement add-on Symbian applications distributed in SIS packages will be aware that there are opportunities for improvement in the SIS package processing, for example to get information on the device configuration during installation and to install different files based on that information.
For developers coming from other platforms, we are open for contribution of new runtime-specific installers and new installation package formats, for example the Debian package format used in Linux could be supported in the Symbian Platform as well. Obviously the same packages and binaries cannot be used, only the packaging format itself, but even this could somewhat reduce the barrier to port applications from other operating systems to Symbian. USIF will be there to provide a plug-in mechanism to add support for new runtime installers and installation package formats.
On the Security Services front, new innovative ways to unlock key and device lock are most welcome. The current implementation doesn’t have a plug-in mechanism, so alternative device unlock mechanisms are not easy to add at the moment. We would like to fix this by using the authentication server from the OS Security package for device lock, but that work hasn’t started yet and there are no firm plans. Migration of device lock to use the authentication server would be a very valuable contribution.
Contributions in certificate handling functionality, like import of certificates and, generally, improvements in everything related to SSL/TLS certificates which has created headaches for applications and users, are very much encouraged.
Q: What would you say is the biggest challenge for mobile device security?
I am sad to say this, but the biggest challenge is developers who don’t take security into account when developing their applications. The basic security needs of an application can be handled on the Symbian Platform with some very simple steps:
- Protect your sensitive APIs (if any) with capabilities
- Put your sensitive data (if any) into your application’s private directory
- Last but not least, test your application interfaces, especially the ones receiving data from an external sources, with malformatted data to detect buffer overflows.
Q: Which is your favourite Symbian-powered device?
Always the one we are working on at the moment, the one not yet in the shops
Q: When you’re not working on Symbian code, what do you like to do for fun?
I like to listen to records and sometimes go to live concerts. Different kinds of pop/rock/metal music do for me as long as the music has a good feeling. There is a rock club near where I live so it easy to go to see something even if I am not a particular fan.