Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

Signed Malware, Revoked

Posted by Craig H on 16 July 2009

A number of blogs and news sites have picked up on a report from Dancho Danchev last week, identifying some malware that was submitted to, and signed by, the Symbian Signed portal.

As soon as we were notified of that (the following day) we revoked both the content certificate and the publisher certificate used to sign the malware. That means that the Symbian software installer will not now install the malware, providing that revocation checking is turned on. Unfortunately, revocation checking is often turned off by phone manufacturers, because the data traffic could cause problems for people who do not have a data plan as part of their service or who pay for data by volume.

Here’s how to turn on revocation checking, which we strongly recommend if you have a flat-rate data plan:

On S60 3rd and 5th edition, the setting to turn on revocation checks can be found in the application manager, for example:

Tools →
    Settings →
       Applications →
            App. manager →
                Online Certificate Check

On UIQ 3, the setting to turn on revocation checks can be found here:

Control Panel →
    Other →
        Install →
            Security →
                Enable Revocation Check

Please note that applications not signed by Symbian Signed may not include the URL for the revocation check in the signing certificate. In these cases, the software installer can direct the revocation check request to a default URL, however at present there is no server in place able to respond to such default requests, so the default URL should be left unset.

So that applications not signed by Symbian Signed (for example, those signed by the phone manufacturer, or self-signed by third parties) can still be installed, the revocation check should not be set to mandatory (for example, “Must Be Passed” for S60), it should be left as advisory (for example, “On” for S60).

We do have security measures which try to catch submitted malware before it gets signed, and we are currently investigating how those can be improved in the light of this latest incident.

Footnote: Earlier today we found that, due to human error in processing the revocation, it wasn’t being properly reported by the server. This has now been corrected.

7 Responses to “Signed Malware, Revoked”

  1. Petra S said

    Thanks Craig. Good job on acting fast on this case, and investigating further security measures on Symbian Signed. Please keep us posted on the findings, and if any changes are done. I am assuming this blog is the best place to follow on this topic?

    • Craig H said

      Thanks Petra! The place for discussion of future changes to Symbian Signed is the forum here.

      There’s already a discussion there about possible changes to the test criteria.

  2. gangs said

    Hi Craig,
    Thanks for the quick update. I had a couple of queries:
    so basically the issue can only be circumvented by revoking the certificate. Am I correct in stating that, OCSP being configurable because the medium of validation is GPRS poses a security issue? As far as I can see we have 2 issues here – one is preventing any one else from installing the app – by revoking the certificate that is what we have achieved.
    Secondly, to prevent users who have already installed the app from running it – Doesn’t the installer store the certificate details associated with each installation? if yes, then can’t we provide the users an option later to perform OCSP check for already installed apps. Sure this does not solve the problem completely, but if the bad app has not done much harm the user has a chance to remove it from her device. She does not need to go to sites and check whether the apps installed in her device are all fine.
    Does this sound doable?


    • Craig H said

      @gangs: There is an API which allows a revocation check to be done on an application after it has been installed, but I don’t think it can be accessed from the UI if I remember correctly. The API is the CheckRevocationStatus method of class Swi::RSisRevocationEntry. Perhaps someone could write and contribute a utility that iterates through the SIS registry performing a revocation check on each installed app?

  3. Pern said

    Hi Craig, just wondering whether the list of certified applications, and certificates that have been revoked can be found online. I am interested to look at the challenges of software installation from the user and economic perspectives. Thanks.

  4. […] will point out that a few recent known viruses have been Symbian Signed, it appears as though the Symbian Foundation is actually doing something about that, which is stinkin awesome. Share […]

  5. Joe Torres said

    Cheers for all the help and tips, Symbian can be funny, imagiane if we had to do this kind of thing with Windows!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: