Mark Wilcox's Forum Nokia Blog

S60 Under-engineered?

2008-08-07T11:45:16+03:00

Having quoted a Nokia employee in my recent blog post, saying that open sourcing S60 was like spreading manure out on a field, I thought I'd share my latest insight with you. I'm reading "Refactoring to Patterns" by Joshua Kerievsky; so far, it's excellent. While I was reading his description of an under-engineered system, S60 immediately sprang to mind - see if you agree:

"...While systems you've worked on may not be so gruesome, it's likely you've done some under-engineering. I know I have. There's simply an overwhelming urge to get code working quickly, and it's often coupled with powerful forces that impede our ability to improve the design of our existing code. In some cases, we consciously don't improve code because we know (or think we know) it won't have a long shelf life. Other times, we're compelled to not improve our code because well-meaning managers explain that our organization will be more competitive and successful if we "don't fix what ain't broke."

Continuous under-engineering leads to the 'fast, slow, slower' rhythm of software development, which goes something like this:

1. You quickly deliver release 1.0 of a system with junky code.

2. You deliver release 2.0 of the system, and the junky code slows you down.

3. As you attempt to deliver future releases, you go slower and slower as the junky code multiplies, until people lose faith in the system, the programmers, and even the process that got everyone into this position.

4. Somewhere during or after release 4.0, you realize you can't win. You begin exploring the option of a total rewrite."

So, first S60 phone released mid-2003 following fast and successful development project. S60 2.0 (2nd Edition) ships in the 4th quarter of 2004, a bit less than 18 months later. S60 3.0 (3rd Edition) ships at the end of the first quarter in 2006, more than 2 years later following a major struggle to add platform security and move to a new Symbian kernel. Will we get the next major release (5th Edition as 4th is skipped, supposedly because 4 is an unlucky number in some cultures) in our hands before 2009? And during this development Nokia are planning to completely switch the development model to open source and are clearly considering starting again, although they don't have time to write a new framework from scratch so they bought Qt!

Is this a fair representation of what's happened? Comments welcome!

Everyone is making a big fuss of the iPhone but it's at step 1 (the 3G version really doesn't add enough to be considered step 2 in my opinion), while S60 is at step 4. Are Apple going to do better, only time will tell.

Of course Joshua Kerievsky suggests a solution to this under-engineering problem - Test-Driven Development (TDD) and continuous refactoring. There are plenty of teams in Nokia and Symbian who are already using these practices. However, there's another issue that prevents major re-design that is specific to open systems - binary and source compatibility guarantees. The developers of the code can't refactor everything they'd like to because they don't actually know who else is using the interfaces and how; they've just promised not to change it. What's the solution to this? It seems the one we're most likely to get is parallel interfaces. Leave the old ones as they are and add new ones alongside them. Only add new features to the new interfaces so that developers eventually have to migrate anyway. This means we end up with an increasingly bloated code-base, carrying the remnants of old releases around almost forever (a bit like Windows really). Is there a better way? Or are all successful systems doomed to follow this course?

I'd love to know your thoughts on this.

Mark

Symbian Signed - a proposal

2008-05-29T22:20:19+03:00

OK, so it's easy to criticise Symbian Signed but they have been improving things. I still think there's further to go so here's my simple proposal for the next step.

I'll call it Free Signed.

Free Signed is just like Express Signed except that it's free and there're no test criteria.

Here are the compromises I'd suggest:

Like Express Signed, you can't access the most sensitive capabilities with it - there really are good reasons why the developers need to be trusted for those.
You still need a publisher ID (or someone with one) to sign your application - without some kind of chain of identity verification there can be no trust, without trust there is no security model.
All applications that go through Free Signed have to have a warning box on installation that says they aren't Symbian Certified, you are installing the application at your own risk and if you have any problems with your device after installation then you should remove the application and/or contact the supplier before contacting your device vendor or network operator. This could be just a text file in the SIS initially but later enforced by the software installer in new device firmware. For the text file option this could be spot checked and anyone omitting it could have their publisher ID blocked.
(Implied by 3) Free Signed is identifiable by the certificate such that software distributors can set a policy on the signing methods that they will allow.

I think this method could replace a lot of the current usage of Open Signed (although I see no reason to remove that option) and could be very useful for freeware and open source, friendly user and public trials for commercial software and also in future, internal projects in large organisations (for whom mobile will become a growing part of their IT strategy).

To really make this work for freeware and open source though we'd need a network of publisher certifiers. I'd suggest one ideal source of those are people who run popular blogs and websites about mobile applications - being able to supply installable copies of free applications could drive more traffic to their sites. They get sent a copy of the application and test it anyway, if they have no major problems with it they can sign it for wider distribution. There may also be other Forum Nokia Champions who are willing to do this and probably some staff at various companies in the Symbian ecosystem who also have a personal interest in the technology.

The key issues would be zero or extremely limited cost and liability for the publisher certifiers. They could sign something to say they would provide their best effort to help track down the originator of any malware or cracked application that they inadvertently sign.

There - a dull post with no links, pictures or videos! Just an idea.

What do you think?

Mark

Application Quality & Numpty Physics

2008-05-24T16:28:42+03:00

In my last post I talked about a smart new S60 application and its implications for Symbian Signing and platform security. I said I'd talk about the other part of Symbian Signing, application quality, in my next post... so here it is already.

My personal opinion is that what is currently Symbian Signed should have absolutely NOTHING to do with application quality. It should be entirely about identity and trust. In addition to this I do believe there should be a signing program that is ALL about application quality. Here's why, the current system basically assumes that there are developers and there are dumb users and nothing in between. There is a quality gate that can actually prevent you from properly distributing many types of application. In the real world there is a sliding scale of user knowledge from the very advanced power-user to those who've never used a computer or smartphone beforeand have no idea what software really is or what it can do. Where those different groups of users discover content is likely to be very different. Software published in some places is unlikely to be found by anyone but the enthusiast - in this way the audience is somewhat self-selecting. On the other hand, the Download client built into Nokia devices and operator portals should only carry content of an appropriate quality - otherwise there are likely to be serious customer service issues.

For open source and freeware developers, very often it is the advanced users that are in fact the alpha and beta testers. You can't really rely on finding them all before you start testing - you just publish your first vaguely usable version and see who wants to play with it and what feedback they give. That's one of the wonders of the internet - it seems there's almost always someone out there who's interested. Release early and often is one of the major practices in the open source world. The current Symbian Signed program and criteria are incompatible with this practice.

Now, to illustrate my point I want to use the example of my new favourite application on the N800 Internet tablet - Numpty Physics. It's based on the concept for the amazing Crayon Physics, here's a video showing the gameplay for the upcoming commercial version of that, Crayon Physics Deluxe:

Numpty Physics is listed as "The pearl" on Maemo.org as I write this (which basically means it's a lot of other people's favourite too) and it's publicly stated that it's only beta quality. In fact I've had it crash so badly I had to take the battery off and also the only way to quit is via the 'q' key which is only available on an N810 - oops. Do I care about these issues - no. I love that I can play it now - I'll like it even more when it's finished. If I had the time and inclination I could get involved and help improve it. If I had to download an unsigned package and submit it to a signing portal would I have installed it and then got excited enough to think about getting involved in the project? Almost certainly not.

And that is really my point. What open source and free software projects need are motivated users and developers to easily access them and give them a quick try.

Signing an application just to enable it to be installed on any device should be both free and without restriction (except some kind of identity/trust chain). I'd be happy to sign other people's open source projects after fairly limited contact with them (because I can see the code after all - I'm not at all so sure about closed source freeware, I'd want to get to know the developer quite well first) if I didn't then have a legal responsibility for any harm they might do. That responsibility has to rest with the end users that choose to install them.

Application quality should be policed at the point of distribution. That can certainly be via a central signing program, it just shouldn't be the same signing program that gates whether on not an application can be installed on a device at all.

What about security for the end users? Well, I think my last post showed that Symbian Signed doesn't really do much about that anyway.

Any thoughts or suggestions?

Mark

Who will guard the guardians?

2008-05-24T14:15:34+03:00

This is a dual purpose post. First I want to highlight the brilliant work of one of my fellow Forum Nokia Champions - Marco Bellino of Symbian Toys fame. His recently released application, Guardian, is really impressive and I strongly recommend downloading it to check it out (and no I'm not getting paid to say so!).

Guardian is a complete security and anti-theft solution for your smartphone. Here are the top features listed on the website:

- Sim Changed notification through Invisible sms
- Password Protection of messaging, gallery, contacts or any other application
- GPS Localization and Tracking through GoogleMaps
- optimized for Low Memory and Battery consumption
- and MUCH more...

So, if someone steals your phone it can keep your personal data safe from access via the phone (it doesn't protect contents of the memory card being viewed in another device of course). If you cancel your subscription and the theif puts a new SIM into the phone then it will send you an SMS (to another number of your choice) telling you the new phone number without any notification on the device. Why would you want to know this? Well it also has some very impressive remote control functionality. You can send SMS messages to the stolen device and access contacts and messages (or delete them) without the new user having any idea this is happening. You can also get the phone to send you its current location - GPS co-ordinates or Cell ID. In the case of phones with GPS that can get a position fix, you even get a link to Google Maps back showing you exactly where your phone is. The application auto-starts and runs invisibly in the background. If you use it to protect itself then no-one can change the settings either.

At the moment the remote control system is a little "techy" (see the user guide on the website for details) but Marco tells me he plans to improve this in the future with a remote control client application of some kind (maybe a Java ME app, or a web interface, or possibly both).

I think this could be an extremely popular application for celebrities and anyone living in an area where phone theft is a big problem. I could also see it being used by parents on their childrens' devices. They can not only track them when they're out longer than they should be but also spy on what messages they're sending and receiving. All a bit "big brother" (no, not the TV show).

What's the most impressive thing about all of this though? It's all been done without using any restricted or device manufacturer capabilities!

When I first tried it out I was convinced it must need TCB capability, or at the very least AllFiles, and possibly also NetworkControl. Having thought about it a little though, I can see how it's all done without them. This means that an application with this kind of functionality can be Express Signed and even distributed unsigned and then Open Signed by users (i.e. no traceability).

This brings me to the second part of my post - the implications of all this for security and Symbian Signing!

Another less benevolent application having this kind of functionality could be the worst kind of malware. It can go through your contacts and send dowload links to itself to all your friends without you knowing. The messages would come from you so they're quite likely to be trusted. It can then delete all your contacts so you can't warn them or just lock you out of all the applications on your device (no reason to give you the option to enter a valid security code in malware). It can also auto-start when you reboot your phone so your only option is likely to be re-flashing the device, otherwise it's a brick. I expect similar malware could also make repeated call setup attempts and thus disrupt the network. It can also send SMS to premium rate services (and probably also hide the reverse billed type coming back) so you don't notice what's happened until you get your bill (or run out of credit). Additionally all of this functionality could be dormant in an otherwise useful application and only triggered by a message that is silently hidden away. Also, what's to stop someone secretly tracking your location (at your expense) in the same way Guardian could be used by a parent?

If all of this can be acheived without the most sensitive capabilities then what exactly is Symbian Signed protecting end users from and how?

Well, to get the widest distribution the malware would need to be Express Signed at least. In that case a Publisher ID is needed and in theory at least it should then be possible to track down the developer. In reality I doubt that serious malware author couldn't find a loophole to get access to a Publisher ID without revealing their real identity. Or disguise their application as something useful and go through a publishing house that has less stringent ID checking than the trust center.

Another possiblity is that Symbian Signed can revoke the certificate - but is that system actually in use? Are there many (any) phones out there that enable a check?

Guardian doesn't tell you about its capabilities when it's installed (although to be fair the user guide spells it out in full) and Symbian Signed no longer requires an application to do so. It seems to me that this signing program is attempting to take some of the resposibility for security away from the end user. Is that really possible? I'm not so sure.

The other feature of Symbian Signed is policing application quality - more about that in my next post...

I think I might be in the market for a trustworthy Symbian anti-virus, or just a program that checks things like auto-start and the capabilities when I install and lets me make a decision about whether I trust the application (developer) enough to let it do what it wants (I don't really want to have to use Marco's SisXplorer on everything I install).

Discussion on this topic is very much encouraged!

P.S. Actually I believe Guardian is technically a Symbian Signed failure. It currently allows the user to protect the Telephone application and when that's in place you can't make emergency calls without entering the security code - a type approval failure for the phone. I wouldn't suggest anything other than leaving Marco to release an update that fixes this though - in the mean time, just don't use the feature.