Posted by Craig H on 2 June 2009
This morning the BBC World Service broadcast my response to their Digital Planet report on mobile malware. I’m pleased with the way it came out, thanks to Gareth Mitchell’s sympathetic interview and Michelle Martin’s excellent editing!
It’s repeated twice today and once tomorrow, and you can also listen online or download the podcast.
Posted in Malware | Leave a Comment »
Posted by Craig H on 27 May 2009
eWeek published an article yesterday quoting an unnamed “Nokia spokesperson” describing Nokia’s criteria for accepting applications into the newly launched Ovi Store:
“Every publisher is passed through a review process prior to their content proceeding through the system. Once they have been approved, a developer’s content passes through a moderation process which looks at each content item and evaluates it against our content guidelines. After each content item passes the moderation step it proceeds through our quality assurance process which runs a set of test cases on the targeted devices according to the content type.”
It’s also stated that applications must go through Symbian Signed Express Signed before being submitted.
Posted in Applications | 2 Comments »
Posted by Craig H on 26 May 2009
Previously on The Symbian Signed Story:
The next phase in the evolution of Symbian Signed focused on reducing the cost to developers of getting their apps certified. As we have noted, the fees paid by developers were divided between fees for signing (mainly for issuing publisher certificates) going to VeriSign and fees for testing going to Capgemini. Symbian therefore resolved to bring the benefits of an open market for signing and testing services to bear.
Posted in Applications | 3 Comments »
Posted by Craig H on 21 May 2009
[Sorry, I’m getting a bit behind on things I want to blog about, part 2 of the Symbian Signed story will be up soon!]
On Tuesday I attended a seminar in Westminster on the topic of “Behavioural Targeting, Social Networking and the Challenges of Online Privacy“. “Behavioural targeting” refers to monitoring users’ behaviour online and using the collected data to present them with targeted content (often in the form of advertising).
There was an interesting mix of participants, from government and the civil service (the Home Office had the largest representation of any one organisation) to privacy advocates (Open Rights Group), industry (notably Phorm) and journalists. I wasn’t the only one who thought this might be relevant to mobile – several mobile network operators were present. There is clear potential for monitoring significantly more personal information via a mobile device carried with you, compared to a work or home PC.
Posted in Privacy | 2 Comments »
Posted by Craig H on 18 May 2009
Symbian Signed launched publicly on 18th May 2004, which makes it five years old today 🙂
Although I can’t claim the credit (or blame!) for it, I have been somewhat involved with it for all that time, so I thought it might be useful to record some of the background and rationale. Symbian Signed now has an opportunity to develop in new directions, but it’s always good to be informed by the lessons of history.
Posted in Applications | 1 Comment »
Posted by Craig H on 5 May 2009
Last week, the BBC World Service radio programme Digital Planet included a piece on mobile phone viruses. This was based on research done at the Center for Complex Network Research (CCNR) entitled Understanding the Spreading Patterns of Mobile Phone Viruses.
Steve Litchfield of All About Symbian, pulling no punches, calls this “a load of BBC tosh” 🙂 To be fair though, I don’t particularly blame the BBC, who have simply taken journalistic license with the report’s main conclusion: “it is not unconcievable[sic] that the phase transition point will be reached in the near future, raising the possibility of major viral outbreaks.”
Unfortunately for the BBC and Professor Barabási at the CCNR, I think the research is flawed. Read the rest of this entry »
Posted in Malware | 9 Comments »
Posted by Craig H on 4 May 2009
I’m on the program committee for the 3rd International Workshop on Secure Systems Methodologies Using Patterns (SPattern’09) and I’ve just submitted my reviews of submitted papers (2 days late, sorry!)
I first got involved in this several years ago, as a member of the Open Group Security Forum. Back then, using design patterns to address security problems was quite a new idea, and we spent a long time in the group (I think about 2 years!) coming up with a few basic Security Design Patterns, finally published in 2004.
Since then, there have been several books published on security patterns, and security is now an accepted domain of interest in the patterns community. The recent Symbian Press book, Common Design Patterns for Symbian OS, includes 4 patterns in the Security category, including one (Secure Agent) authored by yours truly 🙂
I believe etiquette dictates that I shouldn’t discuss the papers I reviewed, as they may or may not make it on to the final workshop programme, but if you are interested in taking advantage of the collected security expertise embodied in security patterns please make a note in your diary of the workshop dates: 31 Aug to 04 Sep 2009 in Linz, Austria.
I’ll update this post when the final workshop programme is published.
Posted in Patterns | 3 Comments »
Posted by Craig H on 8 April 2009
Ben Laurie, who certainly knows security, and is a top bloke for the work he has done on FreeBMD, posted yesterday on why signatures don’t provide assurance of trustworthiness or quality.
I have to respectfully disagree on this. The context is the W3C widget signing specification, and the wording in that spec that is at issue is:
Widget authors and distributors can digitally sign widgets as a trust and quality assurance mechanism.
If third-party CAs issue code signing certificates to widget authors, and the device trusts the widget authors’ signatures, then I agree it won’t assure either trustworthiness or quality. I think that’s the model Ben is criticising (as in Microsoft Authenticode) and I agree with him so far as that goes. There is, however, an alternative model which is the one that Symbian Signed has been successfully using for the past several years: the device doesn’t trust the developer’s signature, but the developer submits their signed application to a certification programme, which enforces acceptance criteria before re-signing the application with a different signature that is trusted by the device.
You can of course argue with the specific acceptance criteria, but surely this model can theoretically provide assurance of trustworthiness or quality, and the W3C widget signing spec can be used with that sort of signing scheme.
Posted in Applications | 6 Comments »
Posted by Craig H on 1 April 2009
[sorry this ended up being so long, I couldn’t see a good way to split it into smaller posts!]
I am often asked whether I think that publishing the complete source code to the Symbian Platform will result in more security vulnerabilities being exploited by the “bad guys” (Internet fraudsters, malware writers, software pirates, etc.)
The short answer to that is: No. I’m confident that the advantages of collaborative open source development will more than outweigh any disadvantages of potential attackers getting easier access to the implementation details of the Symbian OS security mechanisms. There is however a longer answer explaining why I think that, which is what I’d like to share in this blog post. Read the rest of this entry »
Posted in Open Source, Vulnerabilities | 2 Comments »
Posted by Craig H on 24 March 2009
I have long respected Bob Blakley‘s opinions on security and privacy issues (I don’t actually remember when we first met, but it would have been roughly in the mid-1990s I think). He often defines privacy as “the ability to lie about yourself and get away with it” (see here for example, but he was saying it years before that too). Note that his point isn’t that people should necessarily have a right to lie about themselves, but that thinking about whether they can or not is a useful way of measuring the otherwise abstract concept of privacy.
I often ponder whether we (that is, developers of mobile device software) are doing enough to help users look after their privacy. It’s often stated that end users aren’t interested in privacy, or don’t value it appropriately. Professor Ed Felten has written an interesting counterpoint to that view, and I think it is important that we provide users with easy-to-understand choices, so they can make rational and informed decisions about sharing their personal information. I like to use Flickr as an example; their privacy controls are simple, understandable and widely used. You might use Facebook as a counter-example; they have many different privacy controls and it’s not obvious (even for security professionals!) how to configure them sensibly.
An interesting case study for mobile is Google Latitude (now available in the Google Maps native client for S60 3rd Edition). Many of my Symbian and Nokia colleagues have signed up recently, and I’ve been wondering how Bob’s definition of privacy might apply to it. My inclination, as a security professional, is not to sign up; once you do, the fact that you may then choose not to share your location at a particular time, or with a particular person, is itself information about you. I wonder how much privacy you might lose by implicitly sharing that information. Think of it as a statement: “Craig is doing something that he doesn’t want you to know about” 🙂
So, this leads me to a question – can I use Google Latitude to lie about my location? It seems there is a manual “set my location” option, which is promising, but then I wonder how easy it will be for Latitude friends to tell the difference between that and GPS or cell ID-derived location. I also wonder if there’s an API I can use to update my Latitude location programmatically (I doubt anyone would ever bother with that, but it would surely be privacy-friendly to have the option). Maybe I will sign up and have a play with it (or maybe I won’t, so you won’t be surprised if you get no response to a Latitude friend request ;-)).
What other privacy issues might there be on mobile devices (either in the OS or in applications) which we should worry about?
Posted in Privacy | 5 Comments »
Franklin Heath Ltd 