Risto Helin's Forum Nokia Blog

Why would you need PowerMgmt or TrustedUI capabilities?

Wed, 18 Nov 2009 14:22:26 +0200

I know two reasons: Because you did not want to check the set of capabilities your application actually needs you selected all 13 that you can get through Express Signed. AND you have a DLL which you load to a system process so your applications needs All-TCB (all except TCB capability).

But which are the true reasons? Which are the APIs/features that you use and require PowerMgmt and/or TrustedUI?

Why do I need manufacturer capabilities?

Tue, 29 May 2007 16:10:05 +0300

Have you noted a new wiki entry?

http://wiki.forum.nokia.com/index.php/Sensitive_Applications

It's all about where sensitive capabilities are needed and types of applications which have actually received the capabilities. Do you think such information is useful?

Risto

APIs vs. Capabilities relaxing the security?

Fri, 09 Mar 2007 10:15:05 +0200

Have you noticed an interesting discussion thread: http://discussion.forum.nokia.com/forum/showthread.php?t=103255? We are seeking things which you have noticed in the areas of APIs placed behind weird capabilities or too strong capabilities. If you have come accross with such then the information with:

a) What API?
b) Why do you think that the capability required to use this API should be relaxed?
c) What in your view would be a reasonable capability for the API?

SSL certificates in S60 3.0

Fri, 16 Feb 2007 13:32:55 +0200

There has been some discussion in various forums about how to install a SSL certificate to S60 3.0 device. I asked around and I'm planning on creating a short document around the subject. But first the quick way of sharing information - a blog! I hope this will provide some clarity to the subject.

An SSL certificate can be used for different purposes:

Authenticating client to server (e.g. SSL/TLS client authentication)
Authenticating server during SSL/TLS handshake

Using client certificates to authenticate a user
S60 only allows importing personal certificates and associated keys from .p12 files. The certificate must be a general X.509 certificate which is DER encoded. Private key and certificate file are to be packaged into a PKCS 12 package (.p12 format). The file can then be imported to the device, for example by using file transfer.

Using the certificate to authenticate a web server
The certificate must be a general X.509 certificate which is DER encoded. In order to be able to import certificate, it must be recognized as a CA certificate to make it work.

If certificate is not recognized as a CA certificate (meaning that key usage is not CertSigning and BasicConstrains doesn’t indicate that it is not a CA certificate), then you need to follow these steps

Using a web server:
1. Copy the certificate file to Web server
2. Set the MIME type for the directory where the certificate is as application/x-x509-ca-cert
3. Use the web browser in the S60 device to browse the certificate
4. Import the certificate

Why to fail Symbian Signed

Thu, 11 Jan 2007 23:57:02 +0200

See what Symbian has listed:
http://developer.symbian.com/wiki/display/sign/Common+causes+for+failure+during+the+Symbian+Signed+Test+Process

What do you think? Are you having the same experiences?

Certificates and validity periods

Tue, 12 Dec 2006 09:33:01 +0200

Have you noticed the validity period of different certificates? If you create a certificate with makekeys it is valid for a year. A Symbian DevCert is valid for a half a year. ID certificates (like the VeriSign ACS Publisher ID) are commonly valid for a year.

This brings in interesting scenarios: imagine that the ID certificate has expired but with it you use a valid devcert to sign a SIS... It should not install. What about the self made keys used with themes...

Please be careful with the expiration dates!

PS. You can see them easily in Windows by double clicking the cer-file.

Starting the application at device boot

Fri, 17 Nov 2006 09:25:51 +0200

Latest news!

I recently came accross with knowledge that using recognisers to start your application at the start up may make a S60 3rd edition phone a vegetable. This happens in totally random order, so I don't recommend on testing it. Well, starting up an application at device boot with recognisers is not supported feature in S60 3rd edition anyways. Besides if you happen to get it working, in some devices the applications will only be started when they are needed and then closed after they are not needed anymore. This is quite random as well.

There is a better way of doing it: Startup List Management API. That is supported by S60 3rd edition and will do the job. It will assure that the device will continue being it's happy self and not a vegie.

Symbian Developer Certificates changed

Fri, 17 Nov 2006 09:16:27 +0200

Some changes happening! Symbian has loosened the requirements in the Symbian Developer Certificates. Now a developer can also access ReadDeviceData, WriteDeviceData and TrustedUI without the VeriSign ACS Publisher ID for one IMEI (device).

An other improvement is the number of IMEIs. With the ACS you can now access up to 100 IMEIs. Don't forget, you need to have the latest DevCert Request tool (available at www.symbiansigned.com) to use the improvements.

Naturally with justification you can access more IMEIs than the 100. And by using the Capability Request form (available at www.symbiansigned.com) you can access the sensitive capabilities (AllFiles, CommDD, DiskAdmin, MultimediaDD, NetworkControl, TCB and DRM). So that has not changed, however we have speeded up our internal process on dealing with the capabilities.

Btw, I held a webinar about the PlatSec & Symbian Signed, its available for download at: www.forum.nokia.com/platformsecurity.

MTMs

Tue, 07 Nov 2006 13:50:56 +0200

MTM, an other abbreviation to learn. This time it means a Message Type Module. In S60 3rd edition I have herd of two of them:

1. Server-side MTM, the application is visible in the Messaging UI - nice feature for a e-mail client
2. Client-side MTM, the application is visible in the "Send via" menu in system applications - nice if someone actually uses that when sending stuff over e-mail. Personally I use the "attach" feature. Sending stuff over BT/IR is a different story...

The difference here is that the Server-side MTMs need the following capabilities:
ReadDeviceData, WriteDeviceData, ProtServ, NetworkControl, NetworkServices, LocalServices, DiskAdmin and ReadUserData.

Where as with Client-side All-TCB is required.

In otherwords with Server-side MTMs a technical justification is enough, but with Client-side MTMs we need a legal agreement.

Installing untrusted application requiring capabilities to S60 3rd edition

Tue, 31 Oct 2006 15:57:42 +0200

I found a freeware game S-Tetris 2, being an old fan of the game I just got to have it. So off from download to installation, SIS file in and installation started. The application was not trusted so I paid attention to what was my E61 going to say about it.

"...untrusted and may be harmful to you phone" good enough. Additional information shared bit information about why the message was shown. So all about origin not verified etc.

Moving on, I got to have the game so. The next message raised my hair up: "Allow application to: Use network or make phone calls.", now I got concerned, why would this application need such functionalities!

I selected the additional details to check what it had. There was clear explanation of each possible option the user may have and at the end: "Only allow the application to use the requested functions if you know the supplier and trustworthiness of the application.", I don't know Elements Interactive B. V. But decided to trust them and finalised the installation.

When starting the game I realised why the network connection was needed. Uploading the highscores naturally...

So, I guess I'm safe, all information was provided by the device and my device I trust. This is a way to get few capabilities (LocalServices, UserEnvironment, NetworkServices, ReadUserData, WriteUserData) for your application. However it may add few heart beats to users reading information on how to use the mobile devices securely (http://www.ficora.fi/mobiiliturva/english/index.html).