Software architect working in Symbian/S60 area since 2000 and still being enthusiastic about mobility. Please visit my introduction page on Forum Nokia Champions web page.
Symbian Signed is not an anti-virus software
tote_b5 | 23 May, 2007 16:35
The Register reported today that a new spyware for mobile phones had appeared on the horizon. It's harmful for S60 phones, too, 3rd Edition devices included. And what causes the stir in the water is that it's a Symbian Signed application.
There's a general misconception here, I'm afraid. I think the biggest problem most people don't understand that signing has not much to do with protection against malicious programs. These people don't understand that the process is about signing (surprisingly), i.e. certifying that the application comes from a well-known source. Additionally, in order for an application to be Symbian Signed it must undergo thorough testing being done by independent test houses. Since this application is Symbian Signed, it must have passed those tests.
The problem is that it's impossible to test everything an application can do. It's even possible to acquire for a capability (and get it!) just by saying that the application needs it for a different purpose. As this example shows: I can ask for e.g. NetworkServices capability and say that I need it for remote backup. And then make no mention on the fact that I will use it for other reasons, too. You know, it can be done since no-one checks the source code, it's not part of the approval process for Symbian Signed certification. And it will never be, I suppose, as no-one will ever share their best kept secret (i.e. the source code) with outsiders.
What Symbian (Signed) could do better, though, is that they shouldn't advertise these signed applications as "trusted". Because they aren't. What you can trust, though, is that the author of a Symbian Signed application is accountable. If he/she/they produce a software that proves to contain some malicious code, then they can be "caught" and counter-measures can be taken. What counter-measures? For example, the author's certificate can be revoked and added to a list, called Certificate Revocation List or CRL for short. This list can be always checked upon on-line. For example, when a user is just about to install a 3rd party software whose author is not known (or at least not trusted), the Application Installer can do this cross-verification as part of the installation process. Pretty useful info, isn't it? Worth noting that most users are not aware of this and they have this feature disabled on their phones. Including me, but that's on purpose. :-
Original from mobile-thoughts.blogspot.com.
Just my two cents,
Tote
There's a general misconception here, I'm afraid. I think the biggest problem most people don't understand that signing has not much to do with protection against malicious programs. These people don't understand that the process is about signing (surprisingly), i.e. certifying that the application comes from a well-known source. Additionally, in order for an application to be Symbian Signed it must undergo thorough testing being done by independent test houses. Since this application is Symbian Signed, it must have passed those tests.
The problem is that it's impossible to test everything an application can do. It's even possible to acquire for a capability (and get it!) just by saying that the application needs it for a different purpose. As this example shows: I can ask for e.g. NetworkServices capability and say that I need it for remote backup. And then make no mention on the fact that I will use it for other reasons, too. You know, it can be done since no-one checks the source code, it's not part of the approval process for Symbian Signed certification. And it will never be, I suppose, as no-one will ever share their best kept secret (i.e. the source code) with outsiders.
What Symbian (Signed) could do better, though, is that they shouldn't advertise these signed applications as "trusted". Because they aren't. What you can trust, though, is that the author of a Symbian Signed application is accountable. If he/she/they produce a software that proves to contain some malicious code, then they can be "caught" and counter-measures can be taken. What counter-measures? For example, the author's certificate can be revoked and added to a list, called Certificate Revocation List or CRL for short. This list can be always checked upon on-line. For example, when a user is just about to install a 3rd party software whose author is not known (or at least not trusted), the Application Installer can do this cross-verification as part of the installation process. Pretty useful info, isn't it? Worth noting that most users are not aware of this and they have this feature disabled on their phones. Including me, but that's on purpose. :-
Original from mobile-thoughts.blogspot.com.
Just my two cents,
Tote
General, Symbian C++, Testing |
Next | 
Previous |
Comments (9) | 
Trackbacks (0)
Comments
Re: Symbian Signed is not an anti-virus software
tote_b5 | 24/05/2007, 11:27
You're right, Paul. In any case, it's interesting to be aware of this security hole, namely that you got the permission to use a capability and you use it for a different purpose, too. It's such a security hole, imho, that the current tools and processes cannot eliminate.
Re: Symbian Signed is not an anti-virus software
Paul.Todd | 23/05/2007, 22:28
You just beat me to a post along this lines..The problem is were sold on the idea that Symbian signed was all about protecting people from "nasty" applications, so Nokia do not end up in the Microsoft world...
Personally I think that this has impacted on Symbians credibility as in this day and sage, spyware, malware and virus's are all lumped together and the last thing you want is influential sites saying Symbian is insecure because it supports spyware.
There is also a comment on my blog from one of the alledged vendors that's worth a read
Re: Symbian Signed is not an anti-virus software
tote_b5 | 24/05/2007, 11:29
Absolutely agree, Paul! It's also about Symbian's credibility, as you stated, and they should make protective actions against it.Next time, please, provide the link to your post, too, so that all of us can read it right away. Thanks!
Re: Symbian Signed is not an anti-virus software
mgroeber9110 | 29/05/2007, 09:35
I still think this is a bit different from what one would initially expect under a "Symbian Signed Malware" heading - the reason being that this software only seems to be malicious when installed by a 3rd party onto your phone. And it would be that "evil" 3rd party who would see the "trusted" application message, while they are physically handling the device anyway. Even if the legitimate user had online checking of CRLs enabled, and prohibited installation of unsigned apps, the intruder could still temporarily disable this, regardless of whether the app has been signed or unsigned.
So the question in this case seems to me rather as being whether an application that is suited for damaging someone else (e.g. by sneakily making copies of their handset's data) should be granted Symbian Signed status - the old analogy to the hammer that can be used to kill someone...
ciao marcus
So the question in this case seems to me rather as being whether an application that is suited for damaging someone else (e.g. by sneakily making copies of their handset's data) should be granted Symbian Signed status - the old analogy to the hammer that can be used to kill someone...
ciao marcus
Re: Symbian Signed is not an anti-virus software
tote_b5 | 29/05/2007, 11:14
I agree with what you wrote in the first part of your message, Marcus. However, I see no reason for not giving Symbian Signed status to any applications that MAY behave badly (as they have the power == capability). You know, as far as I understand Symbian Signed is just a term that proves that the application in question has undergone some sort of testing. That's it, nothing more. What people seem not to fully understand, though, is that even though it gives you some guarantee, it will never give you 100% certainty as to the application is absolutely safe to use. It's interesting that although Symbian Signed has never claimed they would give this kind of assurance, people seem to think the opposite.Tote
Re: Symbian Signed is not an anti-virus software
mgroeber9110 | 29/05/2007, 13:03
Actually, I agree with you that the test on whether an application is "moral" or something like that should not really be part of Symbian Signed - but it does bring up the question what exactly Symbian Signed status asserts. At least, it does assert that there is a single binary with an audit trail (who has submitted it), as well as the possibility to scan for it more easily - so it could be seen as a pre-requisite for other methods of protection.
I have actually believed for quite a while that the management and ongoing validation of certificate revocations may be a much stronger business case for the AV vendors than the selling of classic "scanners". The need for "signature-based" scanning is much reduced with Symbian Signed, because there is only a finite number of installable that a locked-down phone can actually run, so in theory you could pick for each of those whether you permit it or not.
Interestingly, I believe that the additional test criteria for Nokia may not have let this application pass unchallenged - maybe because it is at odds with "Nokia values", but definitely because of not having a UI to control an autostarting process.
ciao marcus
I have actually believed for quite a while that the management and ongoing validation of certificate revocations may be a much stronger business case for the AV vendors than the selling of classic "scanners". The need for "signature-based" scanning is much reduced with Symbian Signed, because there is only a finite number of installable that a locked-down phone can actually run, so in theory you could pick for each of those whether you permit it or not.
Interestingly, I believe that the additional test criteria for Nokia may not have let this application pass unchallenged - maybe because it is at odds with "Nokia values", but definitely because of not having a UI to control an autostarting process.
ciao marcus
not really
realpro | 02/11/2007, 06:45
Good example that NetworkServices... It is a user-grantable. No need to explain why you use it.
no sir, i don't agree
Malone | 09/11/2007, 00:30
F-secure talked about Flexispy 2 days after Flexispy domain was bought, EVEN before their software was already available.
Now symbian sign it officialy, and you want us to believe it's all coincidence.
In that case why are they rejecting all others software who have proven to be dedicated to parental control over child activity, i could wrote a book about it ! there is MOON LIGHT MONEY under the table !
Who am I?
Software architect working in Symbian/S60 area since 2000 and still being enthusiastic about mobility. Please visit my introduction page on Forum Nokia Champions web page.
Calendar
Recently...
- Silicon Valley doesn't respect Nokia
- Brief status report about smartphone market, mid-2008
- Symbian and Nokia wrestling about voting rights?
- Static vs active application icons
- Cross-platform development
- Collection of great materials on Symbian going open-source
- Browser as an application platform
- iPhone for 1 Euro?
- Pay or not to pay for incoming calls and messages?
- Nokia stirs water with mobile Linux
Categories
- Symbian Foundation [3]
- Nokia [3]
- Android [3]
- Linux [5]
- Development [6]
- Innovation [1]
- Symbian [7]
- Windows Mobile [6]
- Platform Security [2]
- iPhone [7]
- UI [2]
- Mobile OS [11]
- Testing [3]
- Symbian C++ [11]
- Series 80 [0]
- Series 40 [0]
- S60 [13]
- Python [0]
- Open C [1]
- Messaging [0]
- Location Based Services [1]
- Java [3]
- General [16]
- Games [0]
- Flash [1]
- Event [5]
- Entertainment [0]
- Enterprise [2]
- Connectivity [2]
- CDMA [0]
- Business Opportunities/Services [16]
- Browsing [4]
Re: Symbian Signed is not an anti-virus software
coultonp | 23/05/2007, 16:47
Seems that this story is the evolution of our previous discussion after the F-Secure announcement and shows how these things propagate through the web. As you say the signing is based on a set of criteria and if the developers have been open about what it does (as appears to be so from their advert) its very questionable whether it should be denounced as spyware in the normal sense.