Previously on The Symbian Signed Story:
- Symbian Signed costs reduced by open market for services
Developers could choose between 3 test houses and 2 certificate authorities
And now, introducing platform security…
The Symbian Signed Story, Part 3
Posted by Craig H on 8 June 2009
Posted in Applications | 1 Comment »
Hey, I'm on the Radio!
Posted by Craig H on 2 June 2009
This morning the BBC World Service broadcast my response to their Digital Planet report on mobile malware. I’m pleased with the way it came out, thanks to Gareth Mitchell’s sympathetic interview and Michelle Martin’s excellent editing!
It’s repeated twice today and once tomorrow, and you can also listen online or download the podcast.
Posted in Malware | Leave a Comment »
Nokia Ovi Store Content Guidelines?
Posted by Craig H on 27 May 2009
eWeek published an article yesterday quoting an unnamed “Nokia spokesperson” describing Nokia’s criteria for accepting applications into the newly launched Ovi Store:
“Every publisher is passed through a review process prior to their content proceeding through the system. Once they have been approved, a developer’s content passes through a moderation process which looks at each content item and evaluates it against our content guidelines. After each content item passes the moderation step it proceeds through our quality assurance process which runs a set of test cases on the targeted devices according to the content type.”
It’s also stated that applications must go through Symbian Signed Express Signed before being submitted.
Posted in Applications | 2 Comments »
The Symbian Signed Story, Part 2
Posted by Craig H on 26 May 2009
Previously on The Symbian Signed Story:
- Public launch on 18th May 2004
A quality mark to replace “Nokia OK” and other manufacturer certifications - Self-supporting (neither subsidised nor profit-making)
Fees for signing go to third-party Certificate Authority, fees for testing go to third-party test house - Security was not a primary goal
Symbian OS didn’t have platform security until 2 years later
The next phase in the evolution of Symbian Signed focused on reducing the cost to developers of getting their apps certified. As we have noted, the fees paid by developers were divided between fees for signing (mainly for issuing publisher certificates) going to VeriSign and fees for testing going to Capgemini. Symbian therefore resolved to bring the benefits of an open market for signing and testing services to bear.
Posted in Applications | 3 Comments »
Behavioural Targeting
Posted by Craig H on 21 May 2009
[Sorry, I’m getting a bit behind on things I want to blog about, part 2 of the Symbian Signed story will be up soon!]
On Tuesday I attended a seminar in Westminster on the topic of “Behavioural Targeting, Social Networking and the Challenges of Online Privacy“. “Behavioural targeting” refers to monitoring users’ behaviour online and using the collected data to present them with targeted content (often in the form of advertising).
There was an interesting mix of participants, from government and the civil service (the Home Office had the largest representation of any one organisation) to privacy advocates (Open Rights Group), industry (notably Phorm) and journalists. I wasn’t the only one who thought this might be relevant to mobile – several mobile network operators were present. There is clear potential for monitoring significantly more personal information via a mobile device carried with you, compared to a work or home PC.
Posted in Privacy | 2 Comments »
Happy Birthday Symbian Signed!
Posted by Craig H on 18 May 2009
Symbian Signed launched publicly on 18th May 2004, which makes it five years old today 🙂
Although I can’t claim the credit (or blame!) for it, I have been somewhat involved with it for all that time, so I thought it might be useful to record some of the background and rationale. Symbian Signed now has an opportunity to develop in new directions, but it’s always good to be informed by the lessons of history.
Posted in Applications | 1 Comment »
The Mobile Malware Threat
Posted by Craig H on 5 May 2009
Last week, the BBC World Service radio programme Digital Planet included a piece on mobile phone viruses. This was based on research done at the Center for Complex Network Research (CCNR) entitled Understanding the Spreading Patterns of Mobile Phone Viruses.
Steve Litchfield of All About Symbian, pulling no punches, calls this “a load of BBC tosh” 🙂 To be fair though, I don’t particularly blame the BBC, who have simply taken journalistic license with the report’s main conclusion: “it is not unconcievable[sic] that the phase transition point will be reached in the near future, raising the possibility of major viral outbreaks.”
Unfortunately for the BBC and Professor Barabási at the CCNR, I think the research is flawed. Read the rest of this entry »
Posted in Malware | 9 Comments »
Security Patterns
Posted by Craig H on 4 May 2009
I’m on the program committee for the 3rd International Workshop on Secure Systems Methodologies Using Patterns (SPattern’09) and I’ve just submitted my reviews of submitted papers (2 days late, sorry!)
I first got involved in this several years ago, as a member of the Open Group Security Forum. Back then, using design patterns to address security problems was quite a new idea, and we spent a long time in the group (I think about 2 years!) coming up with a few basic Security Design Patterns, finally published in 2004.
Since then, there have been several books published on security patterns, and security is now an accepted domain of interest in the patterns community. The recent Symbian Press book, Common Design Patterns for Symbian OS, includes 4 patterns in the Security category, including one (Secure Agent) authored by yours truly 🙂
I believe etiquette dictates that I shouldn’t discuss the papers I reviewed, as they may or may not make it on to the final workshop programme, but if you are interested in taking advantage of the collected security expertise embodied in security patterns please make a note in your diary of the workshop dates: 31 Aug to 04 Sep 2009 in Linz, Austria.
I’ll update this post when the final workshop programme is published.
Posted in Patterns | 3 Comments »
Code Signing Can Be Trusted (but not blindly)
Posted by Craig H on 8 April 2009
Ben Laurie, who certainly knows security, and is a top bloke for the work he has done on FreeBMD, posted yesterday on why signatures don’t provide assurance of trustworthiness or quality.
I have to respectfully disagree on this. The context is the W3C widget signing specification, and the wording in that spec that is at issue is:
Widget authors and distributors can digitally sign widgets as a trust and quality assurance mechanism.
If third-party CAs issue code signing certificates to widget authors, and the device trusts the widget authors’ signatures, then I agree it won’t assure either trustworthiness or quality. I think that’s the model Ben is criticising (as in Microsoft Authenticode) and I agree with him so far as that goes. There is, however, an alternative model which is the one that Symbian Signed has been successfully using for the past several years: the device doesn’t trust the developer’s signature, but the developer submits their signed application to a certification programme, which enforces acceptance criteria before re-signing the application with a different signature that is trusted by the device.
You can of course argue with the specific acceptance criteria, but surely this model can theoretically provide assurance of trustworthiness or quality, and the W3C widget signing spec can be used with that sort of signing scheme.
Posted in Applications | 6 Comments »
Many Eyes and Security Incentives
Posted by Craig H on 1 April 2009
[sorry this ended up being so long, I couldn’t see a good way to split it into smaller posts!]
I am often asked whether I think that publishing the complete source code to the Symbian Platform will result in more security vulnerabilities being exploited by the “bad guys” (Internet fraudsters, malware writers, software pirates, etc.)
The short answer to that is: No. I’m confident that the advantages of collaborative open source development will more than outweigh any disadvantages of potential attackers getting easier access to the implementation details of the Symbian OS security mechanisms. There is however a longer answer explaining why I think that, which is what I’d like to share in this blog post. Read the rest of this entry »
Posted in Open Source, Vulnerabilities | 2 Comments »
Franklin Heath Ltd 