Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

The Symbian Signed Story, Part 4

Posted by Craig H on 2 July 2010

It really is time that I brought my very occasional series of posts on the history of Symbian Signed up to date. We have some future changes in the pipeline that we are hoping will make things still less of a burden for developers, and I think it’s helpful to put that in the context of what has gone before (a 6 year history of incremental improvements).

In the last instalment, I had got up to 2006, when the first phones with platform security started shipping. This was a major turning point in the perception of Symbian Signed, as before then it was an optional thing for developers, but afterwards it was a requirement for access to the more security-sensitive APIs on the platform. I’ve already explained (I hope!) why that was necessary, but it did mean that some developers who would really rather not care about security now were forced to, and started to complain very loudly about it.

The first significant change in the Symbian Signed processes came in late 2007 with the introduction of Express Signed. Prior to that, all submissions had to undergo individual testing by a test house, which the developer paid for (typical charges were in the region of $300-$400). With Express Signed, the developer was not required to pay for individual testing, but they affirmed that they had performed the tests themselves and that the submission passed the test criteria. A percentage of the submissions were audited by a test house after being signed; the costs of those random audits were spread across the charges for all submissions, so the charge per submission was much reduced, down to $20.

The previous, paid-for individual testing, process (now called Certified Signed) was kept for those that wanted the benefits of an independent tester. Certified Signed was also still required for applications that used the seven most dangerous capabilities (CommDD, MultimediaDD, NetworkControl, DiskAdmin, Drm, AllFiles and Tcb).

The next change to Symbian Signed processes was the introduction of Open Signed Online in early 2008. Prior to this, developers of applications using more than user-grantable capabilities needed a Developer Certificate to test their applications on a real phone.

Developer Certificates for one phone with most widely used capabilities were available to developers for free, but to request a certificate for multiple phones or more sensitive capabilities a paid-for Publisher ID was needed. Developer Certificates are now called Open Signed Offline because you can use them to sign a new build of your application at any time without going back to the Symbian Signed portal.

Open Signed Online, on the other hand, was introduced to avoid the complexity of having to download the devcertrequest tool, submit a certificate request, download and install the certificate, and then sign your SIS file. It’s a free service that allows developers to simply upload an application that they want to test on their phone (identified by its IMEI) and then download a signed copy of it that they can immediately install. After this, developer certificates were only available for developers with a Publisher ID, as Open Signed Online was simpler for those without one.

The most recent change to Symbian Signed came with the introduction of considerably simplified test criteria, resulting from a public discussion in the second half of 2009. The aim was to concentrate on testing that the application didn’t damage the device operation or configuration, removing some of the tests that were more targeted at general quality issues in the application itself. As a result of the simplified criteria, the charge for Express Signed submissions was reduced to €10, and the charge for Certified Signed testing was reduced to €150, in early 2010.

Looking back over the 6 years, the various incremental improvements have added up to a substantial reduction in cost and inconvenience for developers. When Symbian Signed was first introduced, it could cost well over $1000 for a developer to get their first application signed for public distribution ($395 for a Publisher ID and $800 or more for testing of a complex application) and turnaround could be several days; today the same application could be signed for a little over $200 ($200 for a Publisher ID and €10 for Express Signed) with no waiting.

Even so, we acknowledge that this is still too expensive for many small-scale and independent developers, and the next round of changes should provide another big reduction in the costs. Stay tuned!

One Response to “The Symbian Signed Story, Part 4”

  1. lassi said

    the complaining was not just about ‘security’, it was also about the rigths for just starting the development – just accessing the apis as they worked on the devices – just for developing – got hampered seriously as platsec was brought to devices before there were proper channels for it to function as intended. imagine going through the “proper” channels and having to wait for months(nearing to a year+) to get the OK to get the developing rights just to port over your product from 2nd edition. I say “proper” because there weren’t any proper protocol for it. some companies who had longer relations with the major manufacturer benefitted from this as it cut down competitions possibilities to even test if the api’s actually were implemented.

    on the current ecosystem you could look at popular wifi 3g sharing program, while programming a competitor for it might be trivial, getting the ok from inside a phone manufacturer controlling access to the needed api’s isn’t.

    so platsec was introduced into an environment that was not ready for it at all and neither was symbian signed site ready for it or thought to the end nor were the manufacturer reps ready to deal with it.

    thing is, platsec needs a philosophical distinction between ‘developers’ and ‘users’ – that automatically creates a privilidged group the ‘developers’ who can do things and the users who can’t.

    but since anyone can say to be a developer a barrier for entry was needed – so one day came and you couldn’t use any old email address with anymore but needed YOUR OWN DOMAIN! or at least one that wasn’t blacklisted yet for having too many registrations. this is the thing that they should have made up their minds about before introducing platsec as something you can’t turn off on the phone(as flooding of with registrations was inevitable with the setup they created).

    of course some of the problems that developers had to deal with came from other issues with it – for example, it wasn’t such a big issue on 2nd edition that the installer was buggy as you could do work arounds that would make everything work fine and clean up after the installer your self and even place your own sis stubs so that the installer would clean up things properly on uninstall(without it deleting things it shouldn’t have because they belonged to a different package). but on 3rd edition you couldn’t and the installer was still buggy in places.

    “s60 – open to new features” was a slogan that was used, at the same time that slogan appeared s60 was closed up so that you had to get “all -tcb” to install a ringtone codec, which is something that people will tell you that you just can’t get(you can though! but it’s not trivial).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: