Paul Todd's Forum Nokia Blog - What does this mean for Symbian Signed

atirraihan — 2007-05-20T16:34:00Z

Firstly, let me identify myself as a spokesperson for Vervata who are the developers of FlexiSPY.

Let us imagine for a moment, that the next version of FlexiSPY detected the existence of FSecure, and unilaterally decided to identify it as a Virus or Malware, and either disabled FSecure, or advised uninstallation of the FSecure product, would that be justified?

FSecure have set themselves up as judge and jury and refuse to engage in a discussion with Vervata, whose products they are interfering with. Indeed, they are probably on dubious legal grounds here, and this is something that will be interesting to investigate. As I recall, there have been precedents for this kind of action, and the issue of Gator lawsuits comes to mind . However thats an avenue that no one needs to pursue if FSecure would actually respond to contacts from the companies whose products they interfere with.

Lets recall the first release of FlexiSPY, and that FSecure made claims that it could be transmitted and installed without the user knowing what they were doing. Vervata immediately made changes to the dialogues to address these concerns and send copies to FSecure. Did that please FSecure? Of course not! They are more interested in fear mongering about mobile Viruses, as one cant imagine the current threat level of mobile viruses could keep a FSecure engineer busy for more that a few hours per week!

The real question is one of defamation and the freedom to install what you choose on your devices. Let us ask once again, who made them judge and jury regarding commercial, signed applications, that can be traced to the source and makes the nature of its operation blatantly clear. I suspect, as many of us in the industry do, that the issue of Viruses in the mobile space is not significant enough for FSecure to have a business case for their product, but I do understand that they have to earn a living. However, there must be checks and balances, and FSecure need to be accountable for their decisions. Until that happens, developers will have no choice but to ask the user to remove FSecure, or ask for the users permission to kill the FSecure process every time it is detected.

Until FSecure start becoming answerable for their interference with legitimate third party applications, it is FSecure and not Vervata that must be considered a rogue company and producer of Malware.

widianuser — 2007-05-15T21:38:01Z

This is a very interesting topic. Personally I haven't installed virus scanners to any of my own devices as I just can't see the risk of mobile malware for Symbian 9. Hands up, who has seen live Symbian 9 malware spreading wild?

Can we expect to see in the future virus scanners blacklisting native device management application because that can be used to investigate the terminal contents and to change the settings without user interaction? How about Symbian Signed test case GEN-01 that tests the software for "The application does not affect the use of the system features or other applications." If virus scanners begin aggressively blacklisting signed applications, should scanners pass the signing?

doctordwarf — 2007-05-15T20:03:22Z

It depends on how you view the Symbian Signed. To me the *only* thing that the signature confirms is that the application is indeed developed by the company mentioned in the certificate and it is a real company. It implicitly protects you from many dangers, because a typical malicious hacker wouldn't like to be easily identified. However, I don't think Symbian Signed was even designed to exactly protect anybody from spyware.

PushL — 2007-05-15T17:48:37Z

I think the misunderstanding with these issues is considering the signing process as some sort of good-behaviour/quality certification. Passing the tests just means among other things that your application has some quality to be usable, but it's certainly impossible (or undecidable) to know whether it contains some trigger which activates some bad behaviour. I can be thought as some sort of "halting problem"

Nothing can stop someone to add some malicious behaviour in a program and get it signed. The difference here is that this "someone" is no longer anonymous. Name & other personal data is given when asking for an ACS.

It would be certainly nice to know either Nokia or Symbian Signed team's opinion, and whether there would be some kind of measure to be taken in such cases.

David.

Tompenner — 2007-05-15T17:09:02Z

I disagree with F-Secure's position here.

I have agreed with my children to run such an commercial monitoring applications on their cell phones, for our familiy to be sure where they are and to have limited controll over what they do with their phones.
Also a colleague of mine is using a similar application to continously back-up sent and received text messages and keep a list of made/received phone calls for expense purposes.
From that perspective it is perfectly OK that Symbian gave this application the certificate Symbian Signed.

F-Secure seems to hype this topic for creating a demand for their mobile security.

tote_b5 — 2007-05-15T14:25:38Z

Imho it would make sense if the virus databases of respected anti-virus software products were synchronized with the official CRLs (i.e. Certificate Revocation Lists). And the Application Installer can check it out very easily via OCSP (Online Certificate Status Protocol) if an application to be installed is a malware or not. This solution would not require, though, that phone manufacturers be involved in the whole process.

Tote

Rippe — 2007-05-15T10:39:43Z

I think we are talking about http://www.flexispy.com/ ?

This is very interesting matter. The application is intended for spying on what the phone user does and then sending that information to a designated terminal. The information would be for example call logs and SMSs.

Who would use such an application? A jealous spouse? I think that would be obvious use case.

As such the application does not commit a crime. It does not physically hurt the user, it does not do any damage to the data in the device, the thing what it does is it relays information from the phone. Just like a calendar and contacts synchronization application would do.

The crime is committed if the person installing the application to a device does not tell to the user of the device what is being done and how the application behaves. Then the person installing the application would actually break privacy laws. So if the jealous spouse tells that s/he cannot trust the other and to get a peace of mind would need to install this application. Then it is fine. Naturally if I were a jealous spouse, I would install this without telling and there I would break the law.

See the point? A phone can be used to commit crimes, but that does not make the phone illegal. It is the use case.

coultonp — 2007-05-14T20:05:18Z

Paul

This is an interesting one as its advertised as a spying application by the developers I quote

'a mobile phone monitoring application that secretly records all activity on a mobile phone'
'Protect your children, catch cheating partners, the possibilities are endless'

I guess the question is does it break the signing rules?

mgroeber9110 — 2007-05-14T12:57:23Z

I guess this would bound to happen at some point, but still...

I am not sure if the story in the original blog post completely adds up, and of course the conclusion drawn from this "Still it looks like you will need to get AV software for your phone just like Windows" is probably one that F-Secure is not exactly going to be unhappy about. ;-) So I am wondering if there is a certain amount of "threat hyping" going on here as well.

There are some more details here:

http://www.f-secure.com/sw-desc/spyware_symbos_flexispy_f.shtml

This seems to be a bit of a grey area - an application that has legitmate uses, but at the same time is also capable of being used with malicious intent if you have access to the physical device while it is not locked. But if you have physical access to the device, you are not going to care about Symbian Signed prompts anyway (as you can always enable non-signed installs on any but Softbank KK branded phones).

I think this is different from what most people would think of when they hear "Symbian Signed spyware" - this is not a "trojan" feature in an otherwise "innocent" application, but rather because this application has a certain "dual use" potential, and because it is being being marketed for such uses.

Of course, it is interesting to see what effect that has on Symbian Signed procedures (e.g. the rules governing autostart applications that do not have visible a UI to turn them off).

ciao marcus